Ethereal-users: Re: [Ethereal-users] decrypt Kerberos data
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Xiaoguang Liu <syslxg@xxxxxxxxx>
Date: Wed, 17 Aug 2005 13:57:45 +0800
hi Ronnie, You are right. the user des@xxxxxxxxxx has "DES encryption types" enabled. meanwhile I have another user u5@xxxxxxxxxx in this test, which is using rc4 password. I want to test both DES and RC4, so I create 2 users for this test. In the trace 816.cap, packet 1-18 is for des@xxxxxxxxxx; packet 19-32 is for u5@xxxxxxxxxx. to create keytab for u5@xxxxxxxxxx, I dump NT hash by dumpwd3e.exe, then create keytab file by ktutil on FC4 "ktutil:addent -key -p u5@xxxxxxxxxx -k 3 -e arcfour-hmac-md5" this keytab should be all right since "kinit -k -t 816.key u5@xxxxxxxxxx" succeeds. On 8/17/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote: > rc4-hmac is the most common enctype in a cifs environment but des > will also sometimes be used. > > there is an account flag in ad where one can specify DES-only > passwords and encryption. > > > it is possible that is what you have for that user. > > > see packets 1/2 in that trace. > > client tries to use rc4 to pass the pa data over to the kdc, kdc > comes back with an error refusing that client to use rc4 > crient then in 3/4 tries again this time useing des. > > > ==> that user has a DES-only account. and the example trace is a des > trace and not an rc4 trace. > > for testing > can you reset that user account to allow rc4 encryption and try again > if the decryuption works > > i might have time later this week to look into if/why des does not > work for the decryption. > > > > On 8/17/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote: > > hi ronnie, > > thank you for reply. > > since rc4-hmac is default for Windows, my XP logon test should be a > > pure rc4-hmac example. the capture file is 816.cap in my attachments > > in my last email. > > > > btw, does this list accept attachment in email? Did you see my attached fils? > > > > > > On 8/17/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote: > > > I have never tested it with DES, only with arcfour (which is not salted) > > > > > > I suspect the problem might be that the salting is not done properly > > > in ethereal. > > > > > > > > > As a test: > > > Can you try changing your client/kdc to only use rc4-hmac and see if > > > that works? > > > > > > > > > > > > On 8/17/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote: > > > > Hi all, > > > > > > > > When I know ethereal 0.10.12 can decrypt kerberos data, I was so > > > > excitting. But after testing and research 20+ hours, I failed to work > > > > this feature out. Now I am wondering what on earth did I do wrong. > > > > > > > > Below is my last test, after creating keytab and capture kerberos > > > > traffic, I still can not see the decrypted kerbers info. Every things > > > > looks the same as I did not specify a keytab file. ( I did enable the > > > > "try to decrypt kerberos blob" option) > > > > I also attach the keytab and cap trace file. Please help me check what > > > > would be the problem. > > > > > > > > It will also be highly appricated if anyone can send me a sample of > > > > keytab and cap file, so that I can have a look at this cool feature. > > > > > > > > OS: Fedora core 4 > > > > Ethereal: ethereal-0.10.12.SVN.15374-1.fc4.i386.rpm from > > > > http://www.ethereal.com/distribution/buildbot-builds/rpm/ > > > > > > > > KDC: windows 2003 (IP 10.5.3.1) > > > > realm: DENYDC.COM > > > > princ: > > > > 1. u5@xxxxxxxxxx > > > > dump NT hash by dumpwd3e.exe, then create keytab file by ktutil on FC4 > > > > ktutil:addent -key -p u5@xxxxxxxxxx -k 3 -e arcfour-hmac-md5 > > > > 2. des@xxxxxxxxxx ( > > > > create keytab file ktpass.exe on windows 2003 > > > > > > > > file attached: > > > > 816.key, contains keys for u5 and des > > > > 816.cap, des and u5 login for a Windows XP > > > > 816fc4.cap, des and u5 login from FC4 by "kinit -k -t 816.key u5@xxxxxxxxxx" > > > > > > > > > > > > _______________________________________________ > > > > Ethereal-users mailing list > > > > Ethereal-users@xxxxxxxxxxxx > > > > http://www.ethereal.com/mailman/listinfo/ethereal-users > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Ethereal-users mailing list > > > Ethereal-users@xxxxxxxxxxxx > > > http://www.ethereal.com/mailman/listinfo/ethereal-users > > > > > > > _______________________________________________ > > Ethereal-users mailing list > > Ethereal-users@xxxxxxxxxxxx > > http://www.ethereal.com/mailman/listinfo/ethereal-users > > > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users >
- References:
- [Ethereal-users] decrypt Kerberos data
- From: Xiaoguang Liu
- Re: [Ethereal-users] decrypt Kerberos data
- From: ronnie sahlberg
- Re: [Ethereal-users] decrypt Kerberos data
- From: Xiaoguang Liu
- Re: [Ethereal-users] decrypt Kerberos data
- From: ronnie sahlberg
- [Ethereal-users] decrypt Kerberos data
- Prev by Date: Re: [Ethereal-users] decrypt Kerberos data
- Next by Date: [Ethereal-users] Ethereal and the TCP stack
- Previous by thread: Re: [Ethereal-users] decrypt Kerberos data
- Next by thread: [Ethereal-users] Re: decrypt Kerberos data
- Index(es):