> For the complete documentation index, see [llms.txt](https://chinnidiwakar.gitbook.io/githubimport/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://chinnidiwakar.gitbook.io/githubimport/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md).

# Harvesting tickets from Linux

On Linux, **tickets are stored in credential caches or ccaches**. There are 3 main types, which indicate where **tickets can be found:**

* **Files**, by default under **/tmp** directory, in the form of **krb5cc\_%{uid}.**
* **Kernel Keyrings**, an special space in the Linux kernel provided for storing keys.
* **Process memory,** used when only one process needs to use the tickets.

To verify what type of storage is used in a specific machine, the variable ***default\_ccache\_name*** **\*\*must be checked in the** /etc/krb5.conf\*\* file, which by default has read permission to any user. In case of this parameter being missing, its default value is *FILE:/tmp/krb5cc\\*%{uid}\_.

In order to extract **tickets from the other 2 sources** (keyrings and processes), a great paper, [**Kerberos Credential Thievery (GNU/Linux)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), released in 2017, explains ways of recovering the tickets from them.

## Keyring - From the paper

> The **Linux kernel** has a feature called **keyrings**. This is an **area of memory residing** within the kernel that is used to **manage and retain keys**.
>
> The **keyctl system call** was introduced in kernel version 2.6.10 5 . This provides **user space applications an API** which can be used to interact with kernel keyrings.
>
> The **name of the keyring** in use can be parsed from the **Kerberos configuration file /etc/krb5.conf** which has read permission enable for anybody (octal 644) by default. An attacker can then leverage this information to **search for ticket** 11 containing keyrings and extract the tickets. A proof of concept script that implements this functionality can be seen in Section A.2 **(hercules.sh)**. In a keyring the ccache is stored as components. As seen in Figure 2, a file ccache is made up of 3 distinct components: header, default principal, and a sequence of credentials. A **keyring holds the default principal and credentials**. This script will dump these components to separate files. Then using an **attacker synthesised header** these pieces are combined in the correct order to **rebuild a file ccache**. This rebuilt file can then be exfiltrated to an attacker machine and then used to impersonate a Kerberos user. A simple program for generating a valid ccache header can be seen in Section A.3.

Based on the **heracles.sh script** (from the paper) a C tool you can use (created by the author of the complete post) is [**tickey**](https://github.com/TarlogicSecurity/tickey)**, and it extracts tickets from keyrings:**

```
/tmp/tickey -i
```

**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)\*\*\*\*
