Skip to content
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Credential Storage in Linux โ€‹

Linux systems store credentials in three types of caches, namely Files (in /tmp directory), Kernel Keyrings (a special segment in the Linux kernel), and Process Memory (for single-process use). The default_ccache_name variable in /etc/krb5.conf reveals the storage type in use, defaulting to FILE:/tmp/krb5cc_%{uid} if not specified.

Extracting Credentials โ€‹

The 2017 paper, Kerberos Credential Thievery (GNU/Linux), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys.

Keyring Extraction Overview โ€‹

The keyctl system call, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The hercules.sh script from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft.

Ticket Extraction Tool: Tickey โ€‹

Building on the principles of the hercules.sh script, the tickey tool is specifically designed for extracting tickets from keyrings, executed via /tmp/tickey -i.

References โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: