[Samba] Keytab extraction for tshark analyze
Andrew Bartlett
abartlet at samba.org
Sat May 12 19:01:04 UTC 2018
On Sat, 2018-05-12 at 16:28 +0200, Lapin Blanc via samba wrote:
> Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 on
> Centos 7).
> I can't figure out how to extract keytab with password/keys.
> I follow precisely the instructions at
> https://wiki.samba.org/index.php/Keytab_Extraction
> But it seems like I only get slot, kvno and principal, can't find a way to
> get passwords or keys.
> Any idea someone ?
>
> ktutil: rkt decode.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 Administrator at WONDERLAND.INFRA
> 2 1 Administrator at WONDERLAND.INFRA
> 3 1 Administrator at WONDERLAND.INFRA
> 4 1 Administrator at WONDERLAND.INFRA
> 5 1 Administrator at WONDERLAND.INFRA
> 6 2 alice at WONDERLAND.INFRA
> 7 2 alice at WONDERLAND.INFRA
> 8 2 alice at WONDERLAND.INFRA
> 9 2 alice at WONDERLAND.INFRA
> 10 2 alice at WONDERLAND.INFRA
> 11 2 whiterabbit at WONDERLAND.INFRA
> 12 2 whiterabbit at WONDERLAND.INFRA
> ...
The Heimdal version will show the keys.
Adding -e to the MIT version will show the encryption type.
Yes, the unsalted md4 hash of the password will be in there, as will be
the salted keys for the other protocols. Not plaintext, but enough to
break into the domain/impersonate users.
I realise this is a test domain, but for everyone else: handle with
care! :-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list