Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 on Centos 7). I can't figure out how to extract keytab with password/keys. I follow precisely the instructions at https://wiki.samba.org/index.php/Keytab_Extraction But it seems like I only get slot, kvno and principal, can't find a way to get passwords or keys. Any idea someone ? ktutil: rkt decode.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 Administrator at WONDERLAND.INFRA 2 1 Administrator at WONDERLAND.INFRA 3 1 Administrator at WONDERLAND.INFRA 4 1 Administrator at WONDERLAND.INFRA 5 1 Administrator at WONDERLAND.INFRA 6 2 alice at WONDERLAND.INFRA 7 2 alice at WONDERLAND.INFRA 8 2 alice at WONDERLAND.INFRA 9 2 alice at WONDERLAND.INFRA 10 2 alice at WONDERLAND.INFRA 11 2 whiterabbit at WONDERLAND.INFRA 12 2 whiterabbit at WONDERLAND.INFRA ...
On Sat, 12 May 2018 16:28:52 +0200 Lapin Blanc via samba <samba at lists.samba.org> wrote:> Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 > on Centos 7).Why ?> I can't figure out how to extract keytab with password/keys. > I follow precisely the instructions at > https://wiki.samba.org/index.php/Keytab_Extraction > But it seems like I only get slot, kvno and principal, can't find a > way to get passwords or keys.Oh good it sounds like it is working as expected ;-) If you want to see the tokens in a keytab, you can use klist. Rowland
On Sat, 12 May 2018 19:45:10 +0200 Lapin Blanc <fabien.toune at lapin-blanc.com> wrote:> I'm studying samba related protocols for a work I have to present at > the university, > and for me to really understand how it works, I try to put in in > practice. So I was reading > http://www.kerberos.org/software/tutorial.html and tried to track > packets... I was hoping this command, run on my kdc > > tshark -r kerberos.pcap -Y frame.number==10 -O kerberos -K > decode.keytab (n° 10 is AS-REP NT in this case) > > would let me see the actual content of the TGT, and so on with further > exchanges > and other encrypted parts.The whole idea behind kerberos is that it is supposed to be secure, so whilst you may be able to see the traffic on the network, you will not be able to see any passwords etc. I suggest you do a bit more internet browsing ;-)> > I'm also trying to understand why Samba needs the presence of > /etc/krb5.keytab > on the server for GSSAPI to work (putty and ssh), even if it doesn't > contain > any user's principal.It is only required if you are using shared keys, but you can use ssh in a way that doesn't use shared keys. Even if you go down the shared keys path, you only need /etc/krb5.keytab on the client, not the server. I think you really need to read more on how kerberos works, for instance, the password is never sent across the wire. Rowland
On Sat, 2018-05-12 at 16:28 +0200, Lapin Blanc via samba wrote:> Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 on > Centos 7). > I can't figure out how to extract keytab with password/keys. > I follow precisely the instructions at > https://wiki.samba.org/index.php/Keytab_Extraction > But it seems like I only get slot, kvno and principal, can't find a way to > get passwords or keys. > Any idea someone ? > > ktutil: rkt decode.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 Administrator at WONDERLAND.INFRA > 2 1 Administrator at WONDERLAND.INFRA > 3 1 Administrator at WONDERLAND.INFRA > 4 1 Administrator at WONDERLAND.INFRA > 5 1 Administrator at WONDERLAND.INFRA > 6 2 alice at WONDERLAND.INFRA > 7 2 alice at WONDERLAND.INFRA > 8 2 alice at WONDERLAND.INFRA > 9 2 alice at WONDERLAND.INFRA > 10 2 alice at WONDERLAND.INFRA > 11 2 whiterabbit at WONDERLAND.INFRA > 12 2 whiterabbit at WONDERLAND.INFRA > ...The Heimdal version will show the keys. Adding -e to the MIT version will show the encryption type. Yes, the unsalted md4 hash of the password will be in there, as will be the salted keys for the other protocols. Not plaintext, but enough to break into the domain/impersonate users. I realise this is a test domain, but for everyone else: handle with care! :-) Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Apparently Analagous Threads
- Keytab extraction for tshark analyze
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC