Linux Active Directory
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
A linux machine can also be present inside an Active Directory environment.
A linux machine in an AD might be storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket. In order to read this tickets you will need to be the user owner of the ticket or root inside the machine.
If you have access over an AD in linux (or bash in Windows) you can try https://github.com/lefayjey/linWinPwn to enumerate the AD.
You can also check the following page to learn other ways to enumerate AD from linux:
389, 636, 3268, 3269 - Pentesting LDAPFreeIPA is an open-source alternative to Microsoft Windows Active Directory, mainly for Unix environments. It combines a complete LDAP directory with an MIT Kerberos Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag Certificate System for CA & RA certificate management, it supports multi-factor authentication, including smartcards. SSSD is integrated for Unix authentication processes. Learn more about it in:
FreeIPA PentestingIn this page you are going to find different places were you could find kerberos tickets inside a linux host, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack:
Pass the TicketCCACHE files are binary formats for storing Kerberos credentials are typically stored with 600 permissions in /tmp. These files can be identified by their name format, krb5cc_%{uid}, correlating to the user's UID. For authentication ticket verification, the environment variable KRB5CCNAME should be set to the path of the desired ticket file, enabling its reuse.
List the current ticket used for authentication with env | grep KRB5CCNAME. The format is portable and the ticket can be reused by setting the environment variable with export KRB5CCNAME=/tmp/ticket.ccache. Kerberos ticket name format is krb5cc_%{uid} where uid is the user UID.
Kerberos tickets stored in a process's memory can be extracted, particularly when the machine's ptrace protection is disabled (/proc/sys/kernel/yama/ptrace_scope). A useful tool for this purpose is found at https://github.com/TarlogicSecurity/tickey, which facilitates the extraction by injecting into sessions and dumping tickets into /tmp.
To configure and use this tool, the steps below are followed:
This procedure will attempt to inject into various sessions, indicating success by storing extracted tickets in /tmp with a naming convention of __krb_UID.ccache.
SSSD maintains a copy of the database at the path /var/lib/sss/secrets/secrets.ldb. The corresponding key is stored as a hidden file at the path /var/lib/sss/secrets/.secrets.mkey. By default, the key is only readable if you have root permissions.
Invoking **SSSDKCMExtractor ** with the --database and --key parameters will parse the database and decrypt the secrets.
The credential cache Kerberos blob can be converted into a usable Kerberos CCache file that can be passed to Mimikatz/Rubeus.
Service account keys, essential for services operating with root privileges, are securely stored in /etc/krb5.keytab files. These keys, akin to passwords for services, demand strict confidentiality.
To inspect the keytab file's contents, klist can be employed. The tool is designed to display key details, including the NT Hash for user authentication, particularly when the key type is identified as 23.
For Linux users, KeyTabExtract offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse.
On macOS, bifrost serves as a tool for keytab file analysis.
Utilizing the extracted account and hash information, connections to servers can be established using tools like crackmapexec.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
