Ethereal-users: Re: [Ethereal-users] decrypt Kerberos data

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Xiaoguang Liu <syslxg@xxxxxxxxx>
Date: Wed, 17 Aug 2005 13:57:45 +0800
hi Ronnie,

You are right.  the user des@xxxxxxxxxx has "DES encryption types"
enabled. meanwhile I have another user u5@xxxxxxxxxx in this test,
which is using rc4 password.

I want to test both DES and RC4, so I create 2 users for this test. In
the trace 816.cap, packet 1-18 is for des@xxxxxxxxxx; packet 19-32 is
for u5@xxxxxxxxxx.


to create keytab for u5@xxxxxxxxxx, I  dump NT hash by dumpwd3e.exe,
then create keytab file by ktutil on FC4
"ktutil:addent -key -p u5@xxxxxxxxxx -k 3 -e arcfour-hmac-md5"
this keytab should be all right since "kinit -k -t 816.key
u5@xxxxxxxxxx" succeeds.


On 8/17/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> rc4-hmac is the most common enctype in a cifs environment    but des
> will also sometimes be used.
> 
> there is an account flag in ad where one can specify DES-only
> passwords and encryption.
> 
> 
> it is possible that is what you have for that user.
> 
> 
> see packets 1/2 in that trace.
> 
> client tries to use rc4  to pass the pa data over to the kdc,   kdc
> comes back with an error   refusing that client to use rc4
> crient then in 3/4 tries again   this time useing des.
> 
> 
> ==> that user has a DES-only account.   and the example trace is a des
> trace and not an rc4 trace.
> 
> for testing
> can you reset that user account to allow rc4 encryption and try again
> if the decryuption  works
> 
> i might have time later this week to look into if/why  des does not
> work for the decryption.
> 
> 
> 
> On 8/17/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:
> > hi ronnie,
> > thank you for reply.
> > since rc4-hmac is default for Windows, my XP logon test should be a
> > pure rc4-hmac example. the capture file is 816.cap in my attachments
> > in my last email.
> >
> > btw, does this list accept attachment in email? Did you see my attached fils?
> >
> >
> > On 8/17/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > > I have never tested it with DES,   only with arcfour (which is not salted)
> > >
> > > I suspect the problem might be that the salting is not done properly
> > > in ethereal.
> > >
> > >
> > > As a test:
> > > Can you try changing your client/kdc to only use rc4-hmac   and see if
> > > that works?
> > >
> > >
> > >
> > > On 8/17/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:
> > > > Hi all,
> > > >
> > > > When I know ethereal 0.10.12 can decrypt kerberos data, I was so
> > > > excitting. But after testing and research 20+ hours, I failed to work
> > > > this feature out. Now I am wondering what on earth did I do wrong.
> > > >
> > > > Below is my last test, after creating keytab and capture kerberos
> > > > traffic, I still can not see the decrypted kerbers info. Every things
> > > > looks the same as I did not specify a keytab file. ( I did enable the
> > > > "try to decrypt kerberos blob" option)
> > > > I also attach the keytab and cap trace file. Please help me check what
> > > > would be the problem.
> > > >
> > > > It will also be highly appricated if anyone can send me a sample of
> > > > keytab and cap file, so that I can have a look at this cool feature.
> > > >
> > > > OS: Fedora core 4
> > > > Ethereal: ethereal-0.10.12.SVN.15374-1.fc4.i386.rpm from
> > > > http://www.ethereal.com/distribution/buildbot-builds/rpm/
> > > >
> > > > KDC: windows 2003 (IP 10.5.3.1)
> > > > realm: DENYDC.COM
> > > > princ:
> > > > 1. u5@xxxxxxxxxx
> > > > dump NT hash by dumpwd3e.exe, then create keytab file by ktutil on FC4
> > > > ktutil:addent -key -p u5@xxxxxxxxxx -k 3 -e arcfour-hmac-md5
> > > > 2. des@xxxxxxxxxx (
> > > > create keytab file ktpass.exe on windows 2003
> > > >
> > > > file attached:
> > > > 816.key, contains keys for u5 and des
> > > > 816.cap, des and u5 login for a Windows XP
> > > > 816fc4.cap, des and u5 login from FC4 by "kinit -k -t 816.key u5@xxxxxxxxxx"
> > > >
> > > >
> > > > _______________________________________________
> > > > Ethereal-users mailing list
> > > > Ethereal-users@xxxxxxxxxxxx
> > > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > > >
> > > >
> > > >
> > > >
> > >
> > > _______________________________________________
> > > Ethereal-users mailing list
> > > Ethereal-users@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>