The Credential Cache (CCACHE) Ticket Reuse Attack, also known as Pass-the-Cache, is a Kerberos-based technique that allows attackers to reuse stolen authentication tickets to impersonate users—without needing their passwords.

🧠 What Is a Credential Cache (CCACHE)?

In Kerberos authentication, a credential cache (or ccache) is a file or memory store that holds Kerberos tickets—especially the Ticket Granting Ticket (TGT)—so users don’t have to re-authenticate every time they access a service.

• On Linux, these are often stored in /tmp/krb5cc_*
• On Windows, they may reside in memory or be accessed via APIs

🎯 How the Attack Works

1. Steal the CCACHE File:

   • An attacker gains access to a system and extracts the user’s Kerberos credential cache file.

2. Extract the TGT or Service Tickets:

   • These tickets are valid for a limited time and can be reused to authenticate to services.

3. Replay the Ticket:

   • Using tools like Mimikatz, Impacket, or Kekeo, the attacker injects the stolen ticket into their own session.

4. Access Services as the Victim:

   • The attacker can now impersonate the user and access resources like file shares, email servers, or even domain controllers.

This is similar to Pass-the-Ticket, but specifically targets UNIX-like systems or environments where credential caches are stored as files.

🛡️ How to Defend Against It

• Limit ticket lifetime: Shorter expiration reduces the attack window.
• Use encrypted file systems: Protect cache files from unauthorized access.
• Monitor for abnormal ticket usage: Look for tickets used from unexpected hosts or times.
• Implement endpoint protection: Detect tools like Mimikatz or suspicious access to /tmp directories.
• Use Kerberos armoring and FAST: Adds encryption and integrity checks to Kerberos exchanges.