samba - May 2018 - Keytab extraction for tshark analyze

Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 on
Centos 7).
I can't figure out how to extract keytab with password/keys.
I follow precisely the instructions at
https://wiki.samba.org/index.php/Keytab_Extraction
But it seems like I only get slot, kvno and principal, can't find a way to
get passwords or keys.
Any idea someone ?

ktutil:  rkt decode.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    1           Administrator at WONDERLAND.INFRA
   2    1           Administrator at WONDERLAND.INFRA
   3    1           Administrator at WONDERLAND.INFRA
   4    1           Administrator at WONDERLAND.INFRA
   5    1           Administrator at WONDERLAND.INFRA
   6    2                   alice at WONDERLAND.INFRA
   7    2                   alice at WONDERLAND.INFRA
   8    2                   alice at WONDERLAND.INFRA
   9    2                   alice at WONDERLAND.INFRA
  10    2                   alice at WONDERLAND.INFRA
  11    2             whiterabbit at WONDERLAND.INFRA
  12    2             whiterabbit at WONDERLAND.INFRA
...

On Sat, 12 May 2018 16:28:52 +0200
Lapin Blanc via samba <samba at lists.samba.org> wrote:
> Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1
> on Centos 7).
Why ?
> I can't figure out how to extract keytab with password/keys.
> I follow precisely the instructions at
> https://wiki.samba.org/index.php/Keytab_Extraction
> But it seems like I only get slot, kvno and principal, can't find a
> way to get passwords or keys.
Oh good it sounds like it is working as expected ;-)

If you want to see the tokens in a keytab, you can use klist.

Rowland

On Sat, 12 May 2018 19:45:10 +0200
Lapin Blanc <fabien.toune at lapin-blanc.com> wrote:
> I'm studying samba related protocols for a work I have to present at
> the university,
> and for me to really understand how it works, I try to put in in
> practice. So I was reading
> http://www.kerberos.org/software/tutorial.html and tried to track
> packets... I was hoping this command, run on my kdc
> 
> tshark -r kerberos.pcap -Y frame.number==10 -O kerberos  -K
> decode.keytab (n° 10 is AS-REP NT in this case)
> 
> would let me see the actual content of the TGT, and so on with further
> exchanges
> and other encrypted parts.
The whole idea behind kerberos is that it is supposed to be secure, so
whilst you may be able to see the traffic on the network, you will not
be able to see any passwords etc. I suggest you do a bit more internet
browsing ;-)
> 
> I'm also trying to understand why Samba needs the presence of
> /etc/krb5.keytab
> on the server for GSSAPI to work (putty and ssh), even if it doesn't
> contain
> any user's principal.
It is only required if you are using shared keys, but you can use ssh in
a way that doesn't use shared keys. Even if you go down the shared keys
path, you only need /etc/krb5.keytab on the client, not the server.

I think you really need to read more on how kerberos works, for
instance, the password is never sent across the wire.

Rowland

On Sat, 2018-05-12 at 16:28 +0200, Lapin Blanc via samba
wrote:
> Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 on
> Centos 7).
> I can't figure out how to extract keytab with password/keys.
> I follow precisely the instructions at
> https://wiki.samba.org/index.php/Keytab_Extraction
> But it seems like I only get slot, kvno and principal, can't find a way
to
> get passwords or keys.
> Any idea someone ?
> 
> ktutil:  rkt decode.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    1           Administrator at WONDERLAND.INFRA
>    2    1           Administrator at WONDERLAND.INFRA
>    3    1           Administrator at WONDERLAND.INFRA
>    4    1           Administrator at WONDERLAND.INFRA
>    5    1           Administrator at WONDERLAND.INFRA
>    6    2                   alice at WONDERLAND.INFRA
>    7    2                   alice at WONDERLAND.INFRA
>    8    2                   alice at WONDERLAND.INFRA
>    9    2                   alice at WONDERLAND.INFRA
>   10    2                   alice at WONDERLAND.INFRA
>   11    2             whiterabbit at WONDERLAND.INFRA
>   12    2             whiterabbit at WONDERLAND.INFRA
> ...
The Heimdal version will show the keys.

Adding -e to the MIT version will show the encryption type.

Yes, the unsalted md4 hash of the password will be in there, as will be
the salted keys for the other protocols.  Not plaintext, but enough to
break into the domain/impersonate users.  

I realise this is a test domain, but for everyone else: handle with
care! :-)

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba