🛠️ Cached Kerberos tickets
Theory
Kerberos tickets can be cached on systems to allow for faster authentication without requiring users to re-enter credentials. Understanding how these tickets are stored is crucial for both defensive and offensive operations.
Storage Methods
On Linux and other UNIX-like systems, tickets can be stored in 3 different ways:
| Storage | Description |
|---|---|
| FILE | Stores tickets in files, typically under /tmp directory, in the format krb5cc_%{uid} |
| KEYRING | Stores tickets in a dedicated kernel keyring space, only accessible to the ticket owner |
| KCM | Stores tickets in an LDAP-like database, typically at /var/lib/sss/secrets/secrets.ldb (default when using SSSD) |
The storage method is configured via the default_ccache_name parameter in /etc/krb5.conf, which is readable by all users.
This configuration can be overridden by files in /etc/krb5.conf.d/. When using SSSD, the value is typically set in /etc/krb5.conf.d/kcm_default_ccache
Practice
From UNIX-like systems
Tickets are stored as files in the configured directory (default: /tmp). These files can be directly used for Pass-the-Ticket attacks.