👉 Overview
👀 What ?
Ticket harvesting from Linux is a method of capturing Kerberos tickets from a Linux system, which can be used for later authentication or gaining unauthorized access to a network. Kerberos is a network authentication protocol that uses tickets to allow nodes to prove their identity over a non-secure network, without transmitting passwords. The underlying principle is the use of shared secrets and asymmetric encryption.
🧐 Why ?
Understanding ticket harvesting from Linux is crucial for both security professionals and system administrators. For the former, it allows to identify potential vulnerabilities in a network's security and finding ways to mitigate them. For the latter, it helps in setting up and maintaining secure Linux systems. This topic is important because exploiting Kerberos tickets is a common attack vector in cyber security.
⛏️ How ?
Ticket harvesting in Linux can be performed using tools such as Mimikatz, which can extract Kerberos tickets from memory. Another common method is Pass-the-Ticket, where an attacker captures a Kerberos ticket and then uses it to authenticate as that user on other systems. To protect against this, system administrators can enforce strong password policies, monitor for suspicious network activity, and regularly patch and update their systems.
⏳ When ?
The practice of ticket harvesting has been around for as long as the Kerberos protocol itself, which was developed in the 1980s. However, with the advent of sophisticated toolsets and the increasing reliance on networked systems, it has become a more prevalent issue in recent years.
⚙️ Technical Explanations
Kerberos works by issuing tickets for authenticated users. When a user logs in, the authentication server verifies their credentials and sends back a Ticket-Granting-Ticket (TGT). This TGT can then be used to request service tickets for other resources on the network. These tickets are stored in memory and can be extracted by an attacker with the right tools and access. The key to Kerberos' security is that the tickets are encrypted with the user's password, so an attacker would need to crack this password to use the ticket. However, if the password is weak, this might not be a significant obstacle.