Author: Carson Sallis

During a penetration test, Black Lantern Security (BLS) attempted to pivot from a domain-joined Linux system to a Windows environment. By utilizing FireEye’s SSSDKCMExtractor tool, BLS Operators were able to extract the payload for a Ticket-Granting Ticket from the SSSD Samba Database. Unfortunately, in its extracted state, the ticket could not be recognized by a Windows system due to the SSSDKCMExtractor tool lacking the ability to properly format the ticket, instead leaving it as an exercise for the reader. Since we always do our homework at BLS, and in spite of our love for tedious hex editing, we decided to automate the process. KCMTicketFormatter (KCMTicketFormatter on GitHub) was created to take the output from the SSSDKCMExtractor tool and parse the output into a properly formatted TGT in the form of a Kerberos Credential Cache (CCACHE file).

Overview of System Security Services Daemon (SSSD) on Linux

The following list briefly describes SSSD and how SSSD integrates with the Kerberos Cache Manager (KCM):

• SSSD is used to join a Linux system to an Active Directory domain

• SSSD utilizes the Kerberos Cache Manager to store Kerberos tickets from the domain in a local Samba database

• The tickets are stored encrypted with the decryption key stored in the same directory

• SSSD works with KCM to store and deploy Kerberos tickets and enable normal function within the domain

Brief Synopsis of SSSDKCMExtractor

FireEye created SSSDKCMExtractor to decrypt the KCM database used by SSSD and to extract Kerberos payloads. The tools utilizes the following workflow:

• With root privileges, an attacker navigates to the /var/lib/sss/secrets directory on a domain-joined Linux system

• The attacker exfiltrates the Samba Trivial Database (.tdb) and decryption key (.mkey)

• The attacker executes the SSSDKCMExtractor tool while providing both the database and decryption key

• JSON output is returned featuring the user, domain, and payload containing the unformatted TGT

Usage of KCMTicketFormatter

The following code snippet describes the normal usage of KCMTicketFormatter:

usage: KCMTicketFormatter.py [-h] -f FILE [-o OUTPUT] [-v]

Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems.

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  <Required> Specify path to the file containing SSSD Raw Kerberos Payload
  -o OUTPUT, --output OUTPUT
                        Specify name of file to output the ccache. Defaults to ticket.ccache
  -v, --verbose         Show debugging messages

The following steps describe how to format using the KCMTicketFormatter:

1. Ensure you have a working Python3 environment

2. Copy the payload from SSSDKCMExtractor and store it in a text file, which will be provided as input.

3. Execute the tool providing the payload file as input

After running the tool, you can validate you have a properly formatted CCACHE file using the klist tool. Export the CCACHE file as KRB5CCNAME, and then run klist -A. The following screenshot demonstrates normal usage of the tool.

Share

References

1. https://github.com/mandiant/SSSDKCMExtractor

2. https://docs.pagure.org/sssd.sssd/design_pages/kcm.html

3. https://github.com/blacklanternsecurity/KCMTicketFormatter