Web lists-archives.com

Re: [Samba] Keytab extraction for tshark analyze




On Sat, 2018-05-12 at 16:28 +0200, Lapin Blanc via samba wrote:
> Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 on
> Centos 7).
> I can't figure out how to extract keytab with password/keys.
> I follow precisely the instructions at
> https://wiki.samba.org/index.php/Keytab_Extraction
> But it seems like I only get slot, kvno and principal, can't find a way to
> get passwords or keys.
> Any idea someone ?
> 
> ktutil:  rkt decode.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    1           Administrator@WONDERLAND.INFRA
>    2    1           Administrator@WONDERLAND.INFRA
>    3    1           Administrator@WONDERLAND.INFRA
>    4    1           Administrator@WONDERLAND.INFRA
>    5    1           Administrator@WONDERLAND.INFRA
>    6    2                   alice@WONDERLAND.INFRA
>    7    2                   alice@WONDERLAND.INFRA
>    8    2                   alice@WONDERLAND.INFRA
>    9    2                   alice@WONDERLAND.INFRA
>   10    2                   alice@WONDERLAND.INFRA
>   11    2             whiterabbit@WONDERLAND.INFRA
>   12    2             whiterabbit@WONDERLAND.INFRA
> ...

The Heimdal version will show the keys.

Adding -e to the MIT version will show the encryption type.

Yes, the unsalted md4 hash of the password will be in there, as will be
the salted keys for the other protocols.  Not plaintext, but enough to
break into the domain/impersonate users.  

I realise this is a test domain, but for everyone else: handle with
care! :-)

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba