Ethereal-users: [Ethereal-users] Account lock-out

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Craig Wicker" <CWicker@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Mar 2005 15:21:18 -0500
 I have a user whose account is getting locked out at random times;
either every hour or every ten minutes. I have attached two packets. Can
someone tell me what/why/where the problem is?
No.     Time        Delta       Source                Destination
Portocol Info
   4603 186.898657  0.000822    10.1.10.94
1corpexch.hooker-hfc.com KRB5     AS-REQ

Frame 4603 (362 bytes on wire, 362 bytes captured)
    Arrival Time: Mar 15, 2005 11:49:16.979072000
    Time delta from previous packet: 0.000822000 seconds
    Time since reference or first frame: 186.898657000 seconds
    Frame Number: 4603
    Packet Length: 362 bytes
    Capture Length: 362 bytes
Ethernet II, Src: 00:11:43:14:63:53, Dst: 00:08:02:7f:d0:50
    Destination: 00:08:02:7f:d0:50 (1corpexch.hooker-hfc.com)
    Source: 00:11:43:14:63:53 (DellWwPc_14:63:53)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.1.10.94 (10.1.10.94), Dst Addr:
1corpexch.hooker-hfc.com (10.1.1.22)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 348
    Identification: 0x2600 (9728)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0xf41b (correct)
    Source: 10.1.10.94 (10.1.10.94)
    Destination: 1corpexch.hooker-hfc.com (10.1.1.22) User Datagram
Protocol, Src Port: 4413 (4413), Dst Port: kerberos (88)
    Source port: 4413 (4413)
    Destination port: kerberos (88)
    Length: 328
    Checksum: 0x5c2d (correct)
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    padata: PA-ENC-TIMESTAMP PA-PAC-REQUEST
        Type: PA-ENC-TIMESTAMP (2)
            Value: 3045A003020117A106020477F57D70A2... rc4-hmac
                Encryption type: rc4-hmac (23)
                Kvno: 2012577136
                enc PA_ENC_TIMESTAMP:
BBC8D80DF430873A6DC6D86EA776A782...
        Type: PA-PAC-REQUEST (128)
            Value: 3005A0030101FF
                PAC Request: 1
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 40810010 (Forwardable, Renewable, Canonicalize,
Renewable OK)
            .1.. .... .... .... .... .... .... .... = Forwardable:
FORWARDABLE tickets are allowed/requested
            ..0. .... .... .... .... .... .... .... = Forwarded: This is
NOT a forwarded ticket
            ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
use proxiable tickets
            .... 0... .... .... .... .... .... .... = Proxy: This ticket
has NOT been proxied
            .... .0.. .... .... .... .... .... .... = Allow Postdate: We
do NOT allow the ticket to be postdated
            .... ..0. .... .... .... .... .... .... = Postdated: This
ticket is NOT postdated
            .... .... 1... .... .... .... .... .... = Renewable: This
ticket is RENEWABLE
            .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
            .... .... .... ...1 .... .... .... .... = Canonicalize: This
is a request for a CANONICALIZED ticket
            .... .... .... .... .... .... ..0. .... = Disable Transited
Check: Transited checking is NOT disabled
            .... .... .... .... .... .... ...1 .... = Renewable OK: We
accept RENEWED tickets
            .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey:
Do NOT encrypt the tkt inside the skey
            .... .... .... .... .... .... .... ..0. = Renew: This is NOT
a request to renew a ticket
            .... .... .... .... .... .... .... ...0 = Validate: This is
NOT a request to validate a postdated ticket
        Client Name (Principal): pcannada
            Name-type: Principal (1)
            Name: pcannada
        Realm: HOOKER-HFC.COM
        Server Name (Service and Instance): krbtgt/HOOKER-HFC.COM
            Name-type: Service and Instance (2)
            Name: krbtgt
            Name: HOOKER-HFC.COM
        till: 2037-09-13 02:48:05 (Z)
        rtime: 2037-09-13 02:48:05 (Z)
        Nonce: 1818549332
        Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5
des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
            Encryption type: rc4-hmac (23)
            Encryption type: rc4-hmac-old (-133)
            Encryption type: rc4-md4 (-128)
            Encryption type: des-cbc-md5 (3)
            Encryption type: des-cbc-crc (1)
            Encryption type: rc4-hmac-exp (24)
            Encryption type: rc4-hmac-old-exp (-135)
        HostAddresses: CORPXPW050110<20>
            HostAddress CORPXPW050110<20>
                Addr-type: NETBIOS (20)
                NetBIOS Name: CORPXPW050110<20> (Server service)

No.     Time        Delta       Source                Destination
Portocol Info
   4604 186.901897  0.003240    1corpexch.hooker-hfc.com 10.1.10.94
KRB5     KRB Error: KRB5KDC_ERR_CLIENT_REVOKED

Frame 4604 (169 bytes on wire, 169 bytes captured)
    Arrival Time: Mar 15, 2005 11:49:16.982312000
    Time delta from previous packet: 0.003240000 seconds
    Time since reference or first frame: 186.901897000 seconds
    Frame Number: 4604
    Packet Length: 169 bytes
    Capture Length: 169 bytes
Ethernet II, Src: 00:08:02:7f:d0:50, Dst: 00:11:43:14:63:53
    Destination: 00:11:43:14:63:53 (DellWwPc_14:63:53)
    Source: 00:08:02:7f:d0:50 (1corpexch.hooker-hfc.com)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 1corpexch.hooker-hfc.com (10.1.1.22), Dst
Addr: 10.1.10.94 (10.1.10.94)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 155
    Identification: 0x0126 (294)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x19b7 (correct)
    Source: 1corpexch.hooker-hfc.com (10.1.1.22)
    Destination: 10.1.10.94 (10.1.10.94) User Datagram Protocol, Src
Port: kerberos (88), Dst Port: 4413 (4413)
    Source port: kerberos (88)
    Destination port: 4413 (4413)
    Length: 135
    Checksum: 0xbd75 (correct)
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2005-03-15 16:49:17 (Z)
    susec: 369529
    error_code: KRB5KDC_ERR_CLIENT_REVOKED (18)
    Realm: HOOKER-HFC.COM
    Server Name (Service and Instance): krbtgt/HOOKER-HFC.COM
        Name-type: Service and Instance (2)
        Name: krbtgt
        Name: HOOKER-HFC.COM
    e-data

Craig Wicker
Systems Administrator
Hooker Furniture Corporation
Sniffer Certified Professional
CompTIA A+, N+
Microsoft MCP
Cisco CCNA
HP-UX
Kind of makes you want to run through the house with scissors, doesn't
it?!