ktexport - Export Kerberos Keys from Active Directory

Michael B Allen mba2000 at ioplex.com
Wed May 3 01:27:21 GMT 2006

I have modified pwdump2 [1] to export a "standard" kerberos keytab
file. This utility is called ktexport and you can download it here:


README.ktexport is inlined below but I just want to stress that currently
the key is the only data within each entry that is actually correct. The
vno and so on are default values that are almost certainly wrong. However,
it turns out that Ethereal doesn't care. So the generated sam.keytab
can be used with Ethereal to decrypt Kerberos tickets. Yeah!


[1] http://www.bindview.com/Services/razor/Utilities/Windows/pwdump2_readme.cfm


ktexport.exe - export Kerberos keys from Active Directory
Michael B Allen <mba2000 ioplex.com>
Tue May  2 21:02:02 EDT 2006

This version of pwdump2 has been modified to export Kerberos ARCFOUR 
keys from a Windows domain controller.


There is no need to install the program really. Simply run the ktexport
program on the desired DC (it must be executed in the same directory as
the included samdump.dll). A sam.keytab file in MIT keytab format will
be created in the current directory.


Unfortunately most of the data in the keytab WRONG. The ARCFOUR keys
are correct and the Ethereal feature to decrypt packets based on keys 
in a keytab only looks at the keys. So it will work with Ethereal.


Note: This program will not execute remotely over Remote Desktop or
similar. As a workaround you can use the included remote.bat with the
'at' service. You must first edit the path in the remote.bat file
approriately. Then you can create an 'at' job like:

  c:\> time
  The current time is: 17:19:41.10
  Enter the new time:

  c:\> at 17:20 c:\temp\ktexport\remote.bat

Thus you will need to wait for up to a minute for the job to run.

More information about the samba-technical mailing list