Rubeus to Ccache
I wrote a new little tool called RubeusToCcache recently to handle a use case I come across often: converting the Rubeus output of Base64-encoded Kerberos tickets into .ccache files for use with Impacket.
If you’ve done any network penetration testing, red teaming, or Hack The Box/CTFs, you’ve probably come across Rubeus. It’s a fantastic tool for all things Kerebos, especially when it comes to tickets and Pass The Ticket/Overpass The Hash attacks. One of the most commonly used features of Rubeus is the ability to request/dump TGTs and use them in different contexts in Rubeus or with other tools. Normally Rubeus outputs the tickets in Base64-encoded .kirbi format, .kirbi being the type of file commonly used by Mimikatz. The Base64 encoding make it very easy to copy and paste and generally make use of the TGT in different ways.
You can also use acquired tickets with another excellent toolset, Impacket. Many of the Impacket tools can use Kerberos authentication via a TGT, which is incredibly useful in a lot of different contexts, such as pivoting through a compromised host so you can Stay Off the Land. Only one problem: Impacket tools use the .ccache file format to represent Kerberos tickets. Not to worry though, because Zer1t0 wrote ticket_converter.py (included with Impacket), which allows you to convert .kirbi files directly into .ccache files. Problem solved, right?
Rubeus To Ccache
Mostly solved, because there’s still the fact that Rubeus spits out .kirbi files Base64 encoded. Is it hard or time-consuming to do a simple little
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64RubeusTGT)) to get a .kirbi and then use
ticket_converter.py? Not at all, but it’s still an extra step that gets repeated over and over, making it ripe for a little automation. Hence Rubeus to Ccache.
You pass it the Base64-encoded blob Rubeus gives you, along with a file name for a .kirbi file and a .ccache file, and you get a fresh ticket in both formats, ready for Impacket. To use the .ccache file, make sure to set the appropriate environment variable:
export KRB5CCNAME=shiny_new_ticket.ccache. Then you can use most Impacket tools
wmiexec.py email@example.com -k -no-pass, where the
-k flag indicates the use of Kerberos tickets for authentication.
╦═╗┬ ┬┌┐ ┌─┐┬ ┬┌─┐ ┌┬┐┌─┐ ╔═╗┌─┐┌─┐┌─┐┬ ┬┌─┐ ╠╦╝│ │├┴┐├┤ │ │└─┐ │ │ │ ║ │ ├─┤│ ├─┤├┤ ╩╚═└─┘└─┘└─┘└─┘└─┘ ┴ └─┘ ╚═╝└─┘┴ ┴└─┘┴ ┴└─┘ By Solomon Sklash github.com/SolomonSklash Inspired by Zer1t0's ticket_converter.py usage: rubeustoccache.py [-h] base64_input kirbi ccache positional arguments: base64_input The Base64-encoded .kirbi, sucha as from Rubeus. kirbi The name of the output file for the decoded .kirbi file. ccache The name of the output file for the ccache file. optional arguments: -h, --help show this help message and exit
Thanks to Zer1t0 and the Impacket project for doing most of the havy lifting.