Linux Active Directory
Last updated
Was this helpful?
Last updated
Was this helpful?
A linux machine can also be present inside an Active Directory environment.
A linux machine in an AD might be storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket. In order to read this tickets you will need to be the user owner of the ticket or root inside the machine.
is a tool to attack AD on UNIX. It allow you to dump credentials and kerberos cached tickets.
When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
List the current ticket used for authentication with env | grep KRB5CCNAME. The format is portable and the ticket can be reused by setting the environment variable with export KRB5CCNAME=/tmp/ticket.ccache. Kerberos ticket name format is krb5cc_%{uid} where uid is the user UID.
SSSD maintains a copy of the database at the path /var/lib/sss/secrets/secrets.ldb. The corresponding key is stored as a hidden file at the path /var/lib/sss/secrets/.secrets.mkey. By default, the key is only readable if you have root permissions.
The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure.
You can also use the .keytab file to request a TGT directly.
You may use this ticket using techniques
Processes may store kerberos tickets inside their memory, the tool can be useful to extract those tickets
Invoking with the --database and --key parameters will parse the database and decrypt the secrets.
On Linux you can use to extracts Key values from .keytab files
Use to read the keytab file and parse its content. The key that you see when the is 23 is the actual NT Hash of the user.
