Cached Kerberos tickets
Theory
Kerberos tickets can be cached on systems to allow for faster authentication without requiring users to re-enter credentials.
From a red-team perspective, even though Linux and Windows use different cache formats to store Kerberos tickets (Kerberos on Linux uses ccache files, while Windows uses kirbi formats), the actual Kerberos ticket data (encrypted TGT/ST blobs) are compatible, which can enable cross-platform pivoting.
Storage Methods
On Linux and other UNIX-like systems, tickets can be stored in different ways:
| Storage | Description |
|---|---|
| FILE | Stores tickets in files, typically under /tmp directory, in the format krb5cc_%{uid} |
| DIR | Stores tickets in a hierarchical directory-based cache, typically under /tmp which contains a primary file referencing the active ccache entry. |
| KEYRING | Stores tickets in a dedicated kernel keyring space, only accessible to the ticket owner |
| KCM | Stores tickets in an LDAP-like database, typically at /var/lib/sss/secrets/secrets.ldb (default when using sssd-kcm) |
The storage method is configured via the default_ccache_name parameter in /etc/krb5.conf, which is readable by all users.
This configuration can be overridden by files in /etc/krb5.conf.d/. When using SSSD, the value is typically set in /etc/krb5.conf.d/kcm_default_ccache
Practice
From UNIX-like systems
Tickets are stored as files in the configured directory (default: /tmp). These files can be directly used for Pass-the-Ticket attacks.
KrbNixPwn can automatically extract all tickets - supporting FILE, DIR, KCM, and KEYRING caches in a single workflow.
./KrbNixPwn.sh dumpor
./KrbNixPwn.sh monitorFrom Windows
Two practical approaches exist to extract Kerberos tickets on Windows systems:
- Extracting tickets directly from an LSASS memory dump, and
- Querying tickets through LSA APIs, which does not require reading raw LSASS memory.
Both require elevated permissions.
Dumping from LSASS Memory
This method relies on parsing LSASS memory, where Kerberos tickets are stored in internal LSASS structures. It is especially useful when you already exfiltrated an LSASS dump (.dmp, .bin, etc.).
Examples with mimikatz :
# Load a previously obtained lsass.dmp file
sekurlsa::minidump lsass.dmp
# Extract Kerberos tickets from the dump
sekurlsa::ticketsDumping from LSA APIs
This method uses documented LSA APIs to enumerate, extract, or renew tickets through the Kerberos authentication package. It still requires elevated rights but:
- Works even on systems where LSASS is PPL-protected
- Is more OPSEC-friendly (no suspicious LSASS read handle)
Example with Rubeus :
# Detailed logon session and ticket info
Rubeus.exe klist
# Extract detailed logon session and ticket data
Rubeus.exe dump
# Monitor logon events and dump new tickets
Rubeus.exe monitor /interval:30