The name of the keyring in use can be parsed from the Kerberos configuration file /etc/krb5.conf which has read permission enable for anybody (octal 644) by default. An attacker can then leverage this information to search for ticket 11 containing keyrings and extract the tickets. A proof of concept script that implements this functionality can be seen in Section A.2 (hercules.sh). In a keyring the ccache is stored as components. As seen in Figure 2, a file ccache is made up of 3 distinct components: header, default principal, and a sequence of credentials. A keyring holds the default principal and credentials. This script will dump these components to separate files. Then using an attacker synthesised header these pieces are combined in the correct order to rebuild a file ccache. This rebuilt file can then be exfiltrated to an attacker machine and then used to impersonate a Kerberos user. A simple program for generating a valid ccache header can be seen in Section A.3.