Pass-the-Cache to Domain Compromise

In this case, the cached tickets we discovered were user accounts associated with domain administrator privileges.More reading on credential caches can be found here if you’re interested: a result of a successful phish and foothold onto a host within an internal corporate environment, a review of our compromised user’s AD groups revealed they had access to a number of jump-boxes allowing them to access resources within a specific environment..These jump-boxes were Linux-based and attached to the Windows domain allowing users to use their domain credentials to authenticate.Upon accessing this jump box using the user’s domain credentials (obtained using, a list of kerberos caches (*.ccache) were found within the /tmp directory of the Linux file system..These files are automatically created when a user authenticates to the jump-box and are only valid for a certain period of time, keep this in mind.Reviewing the user account permissions (net user <username> /dom) of each user with an associated cached ticket revealed that a small number of users were apart of the domain administrators group. This is where we started to get excited :)After googling around and trying to find out if these caches could be used, I stumbled upon Benjamin’s tweet..After a review of the tweet, the relevant caches were copied from the jump-box and mimikatz ( was used to inject one of the kerberos tickets into the current session and assume the target users’ identity.The following command was executed..As shown, the ptc option and the path to the kerberos cache are specified.kerberos::ptc “C:Userasimpsonjjones_adm.ccache”Following this, a new session was created!.With a new session running under the context of a domain administrator, we took control of the domain and continued on with the simulation.Another thing to note as well, is that these ccache files can be taken offline and cracked..Even better is the fact that they can be cracked even if they are expired..The following script from JTR provides the ability to extract a crackable hash from the ccache file: you enjoyed!. More details

Leave a Reply