Ethereal-users: [Ethereal-users] Re: decrypt Kerberos data
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Wed, 17 Aug 2005 04:03:31 -0400
Hm, It decrypts both des and rc4 just fine on my machine. See attached output for some of the packets. You have enabled kerberos decryption in the preferences, right? And specified the proper path to the keytab file? On 8/16/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote: > Hi all, > > When I know ethereal 0.10.12 can decrypt kerberos data, I was so > excitting. But after testing and research 20+ hours, I failed to work > this feature out. Now I am wondering what on earth did I do wrong. > > Below is my last test, after creating keytab and capture kerberos > traffic, I still can not see the decrypted kerbers info. Every things > looks the same as I did not specify a keytab file. ( I did enable the > "try to decrypt kerberos blob" option) > I also attach the keytab and cap trace file. Please help me check what > would be the problem. > > It will also be highly appricated if anyone can send me a sample of > keytab and cap file, so that I can have a look at this cool feature. > > OS: Fedora core 4 > Ethereal: ethereal-0.10.12.SVN.15374-1.fc4.i386.rpm from > http://www.ethereal.com/distribution/buildbot-builds/rpm/ > > KDC: windows 2003 (IP 10.5.3.1) > realm: DENYDC.COM > princ: > 1. u5@xxxxxxxxxx > dump NT hash by dumpwd3e.exe, then create keytab file by ktutil on FC4 > ktutil:addent -key -p u5@xxxxxxxxxx -k 3 -e arcfour-hmac-md5 > 2. des@xxxxxxxxxx ( > create keytab file ktpass.exe on windows 2003 > > file attached: > 816.key, contains keys for u5 and des > 816.cap, des and u5 login for a Windows XP > 816fc4.cap, des and u5 login from FC4 by "kinit -k -t 816.key > u5@xxxxxxxxxx" > >
No. Time Source Destination Protocol Info
4 0.027977 10.5.3.1 10.1.12.2 KRB5 AS-REP
Frame 4 (1298 bytes on wire, 1298 bytes captured)
Ethernet II, Src: 00:03:ff:a6:ab:0c (00:03:ff:a6:ab:0c), Dst: 00:03:ff:a7:ab:0c (00:03:ff:a7:ab:0c)
Internet Protocol, Src: 10.5.3.1 (10.5.3.1), Dst: 10.1.12.2 (10.1.12.2)
User Datagram Protocol, Src Port: 88 (88), Dst Port: 1060 (1060)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 44454E5944432E434F4D646573
Client Realm: DENYDC.COM
Client Name (Principal): des
Name-type: Principal (1)
Name: des
Ticket
Tkt-vno: 5
Realm: DENYDC.COM
Server Name (Service and Instance): krbtgt/DENYDC.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: DENYDC.COM
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 76873A46DEDC5B7DE4CD702AEF30AE79CBD8AA172B9D167E...
enc-part des-cbc-md5
Encryption type: des-cbc-md5 (3)
Kvno: 3
enc-part: EDBCC0D67F3A645254F086E6E2BFE2B7BBAC72B346AD05AB...
[Decrypted using: keytab principal des@xxxxxxxxxx]
EncKDCRepPart
key des-cbc-md5
Key type: des-cbc-md5 (3)
Key value: 67C837A73862FD5B
LastReqs:
LastReq
Lr-type: No information available (0)
Lr-time: 2005-08-16 09:40:29 (Z)
Nonce: 197451134
Key Expiration: 2037-09-14 02:48:05 (Z)
Padding: 0
Ticket Flags (Forwardable, Renewable, Initial, Pre-Auth)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... ...0 .... .... .... .... .... .... = Invalid: This ticket is NOT invalid
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... .1.. .... .... .... .... .... = Initial: This ticket was granted by AS and not TGT protocol
.... .... ..1. .... .... .... .... .... = Pre-Auth: The client was PRE-AUTHenticated
.... .... ...0 .... .... .... .... .... = HW-Auth: The client was NOT authenticated using hardware
.... .... .... 0... .... .... .... .... = Transited Policy Checked: Kdc has NOT performed transited policy checking
.... .... .... .0.. .... .... .... .... = Ok As Delegate: This ticket is NOT ok as a delegated ticket
Authtime: 2005-08-16 09:40:29 (Z)
Start time: 2005-08-16 09:40:29 (Z)
End time: 2005-08-16 19:40:29 (Z)
Renew-till: 2005-08-23 09:40:29 (Z)
Realm: DENYDC.COM
Server Name (Service and Instance): krbtgt/DENYDC.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: DENYDC.COM
HostAddresses: XP1<20>
HostAddress XP1<20>
Addr-type: NETBIOS (20)
NetBIOS Name: XP1<20> (Server service)
No. Time Source Destination Protocol Info
6 0.036018 10.5.3.1 10.1.12.2 KRB5 TGS-REP
Frame 6 (1231 bytes on wire, 1231 bytes captured)
Ethernet II, Src: 00:03:ff:a6:ab:0c (00:03:ff:a6:ab:0c), Dst: 00:03:ff:a7:ab:0c (00:03:ff:a7:ab:0c)
Internet Protocol, Src: 10.5.3.1 (10.5.3.1), Dst: 10.1.12.2 (10.1.12.2)
User Datagram Protocol, Src Port: 88 (88), Dst Port: 1061 (1061)
Kerberos TGS-REP
Pvno: 5
MSG Type: TGS-REP (13)
Client Realm: DENYDC.COM
Client Name (Principal): des
Name-type: Principal (1)
Name: des
Ticket
Tkt-vno: 5
Realm: DENYDC.COM
Server Name (Service and Host): host/xp1.denydc.com
Name-type: Service and Host (3)
Name: host
Name: xp1.denydc.com
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: E63BB88DD1D8F8B5AAFE7B76E59E4F42E5E090B679E8A945...
enc-part des-cbc-md5
Encryption type: des-cbc-md5 (3)
enc-part: 70E024FDB23293198556E63CA27554CF3DD36D0A548E9215...
[Decrypted using: key learnt from frame 4]
EncKDCRepPart
key rc4-hmac
Key type: rc4-hmac (23)
Key value: 60CCC14E37427A87D289F855FEB3A405
LastReqs:
LastReq
Lr-type: No information available (0)
Lr-time: 2005-08-16 09:40:29 (Z)
Nonce: 197296424
Padding: 0
Ticket Flags (Forwardable, Renewable, Pre-Auth)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... ...0 .... .... .... .... .... .... = Invalid: This ticket is NOT invalid
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... .0.. .... .... .... .... .... = Initial: This ticket was granted by TGT and not as protocol
.... .... ..1. .... .... .... .... .... = Pre-Auth: The client was PRE-AUTHenticated
.... .... ...0 .... .... .... .... .... = HW-Auth: The client was NOT authenticated using hardware
.... .... .... 0... .... .... .... .... = Transited Policy Checked: Kdc has NOT performed transited policy checking
.... .... .... .0.. .... .... .... .... = Ok As Delegate: This ticket is NOT ok as a delegated ticket
Authtime: 2005-08-16 09:40:29 (Z)
Start time: 2005-08-16 09:40:29 (Z)
End time: 2005-08-16 19:40:29 (Z)
Renew-till: 2005-08-23 09:40:29 (Z)
Realm: DENYDC.COM
Server Name (Service and Host): host/xp1.denydc.com
Name-type: Service and Host (3)
Name: host
Name: xp1.denydc.com
No. Time Source Destination Protocol Info
24 73.140901 10.5.3.1 10.1.12.2 KRB5 AS-REP
Frame 24 (1283 bytes on wire, 1283 bytes captured)
Ethernet II, Src: 00:03:ff:a6:ab:0c (00:03:ff:a6:ab:0c), Dst: 00:03:ff:a7:ab:0c (00:03:ff:a7:ab:0c)
Internet Protocol, Src: 10.5.3.1 (10.5.3.1), Dst: 10.1.12.2 (10.1.12.2)
User Datagram Protocol, Src Port: 88 (88), Dst Port: 1088 (1088)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
Client Realm: DENYDC.COM
Client Name (Principal): u5
Name-type: Principal (1)
Name: u5
Ticket
Tkt-vno: 5
Realm: DENYDC.COM
Server Name (Service and Instance): krbtgt/DENYDC.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: DENYDC.COM
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: C01854EF90D885D4498C878EE5477CAC541D8196ED38E108...
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 7
enc-part: 7AE4B59586EC38D817BC82427A3B58741D78082E569B9CC3...
[Decrypted using: keytab principal u5@xxxxxxxxxx]
EncKDCRepPart
key rc4-hmac
Key type: rc4-hmac (23)
Key value: 430052E1D923CCFB3ACDD8570AB29FC6
LastReqs:
LastReq
Lr-type: No information available (0)
Lr-time: 2005-08-16 09:41:34 (Z)
Nonce: 839903404
Key Expiration: 2037-09-14 02:48:05 (Z)
Padding: 0
Ticket Flags (Forwardable, Renewable, Initial, Pre-Auth)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... ...0 .... .... .... .... .... .... = Invalid: This ticket is NOT invalid
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... .1.. .... .... .... .... .... = Initial: This ticket was granted by AS and not TGT protocol
.... .... ..1. .... .... .... .... .... = Pre-Auth: The client was PRE-AUTHenticated
.... .... ...0 .... .... .... .... .... = HW-Auth: The client was NOT authenticated using hardware
.... .... .... 0... .... .... .... .... = Transited Policy Checked: Kdc has NOT performed transited policy checking
.... .... .... .0.. .... .... .... .... = Ok As Delegate: This ticket is NOT ok as a delegated ticket
Authtime: 2005-08-16 09:41:34 (Z)
Start time: 2005-08-16 09:41:34 (Z)
End time: 2005-08-16 19:41:34 (Z)
Renew-till: 2005-08-17 05:00:00 (Z)
Realm: DENYDC.COM
Server Name (Service and Instance): krbtgt/DENYDC.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: DENYDC.COM
HostAddresses: XP1<20>
HostAddress XP1<20>
Addr-type: NETBIOS (20)
NetBIOS Name: XP1<20> (Server service)
No. Time Source Destination Protocol Info
32 74.030765 10.5.3.1 10.1.12.2 KRB5 TGS-REP
Frame 32 (1244 bytes on wire, 1244 bytes captured)
Ethernet II, Src: 00:03:ff:a6:ab:0c (00:03:ff:a6:ab:0c), Dst: 00:03:ff:a7:ab:0c (00:03:ff:a7:ab:0c)
Internet Protocol, Src: 10.5.3.1 (10.5.3.1), Dst: 10.1.12.2 (10.1.12.2)
User Datagram Protocol, Src Port: 88 (88), Dst Port: 1096 (1096)
Kerberos TGS-REP
Pvno: 5
MSG Type: TGS-REP (13)
Client Realm: DENYDC.COM
Client Name (Principal): u5
Name-type: Principal (1)
Name: u5
Ticket
Tkt-vno: 5
Realm: DENYDC.COM
Server Name (Service and Instance): cifs/vpc-w2k3ent.denydc.com
Name-type: Service and Instance (2)
Name: cifs
Name: vpc-w2k3ent.denydc.com
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 9
enc-part: 1A166C6893D83551ED37E7B1EBEF9A9D86A65F461B78387A...
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
enc-part: F7E59B359B852B1BC247AC2BDB36821A78A057A1812E7B68...
[Decrypted using: key learnt from frame 24]
EncKDCRepPart
key rc4-hmac
Key type: rc4-hmac (23)
Key value: 8E2212A96A8E437FC271519AF17552BB
LastReqs:
LastReq
Lr-type: No information available (0)
Lr-time: 2005-08-16 09:41:35 (Z)
Nonce: 898574737
Padding: 0
Ticket Flags (Forwardable, Renewable, Pre-Auth, Ok As Delegate)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... ...0 .... .... .... .... .... .... = Invalid: This ticket is NOT invalid
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... .0.. .... .... .... .... .... = Initial: This ticket was granted by TGT and not as protocol
.... .... ..1. .... .... .... .... .... = Pre-Auth: The client was PRE-AUTHenticated
.... .... ...0 .... .... .... .... .... = HW-Auth: The client was NOT authenticated using hardware
.... .... .... 0... .... .... .... .... = Transited Policy Checked: Kdc has NOT performed transited policy checking
.... .... .... .1.. .... .... .... .... = Ok As Delegate: This ticket is OK AS a DELEGATED ticket
Authtime: 2005-08-16 09:41:34 (Z)
Start time: 2005-08-16 09:41:35 (Z)
End time: 2005-08-16 19:41:34 (Z)
Renew-till: 2005-08-17 05:00:00 (Z)
Realm: DENYDC.COM
Server Name (Service and Instance): cifs/vpc-w2k3ent.denydc.com
Name-type: Service and Instance (2)
Name: cifs
Name: vpc-w2k3ent.denydc.com
- Follow-Ups:
- Re: [Ethereal-users] Re: decrypt Kerberos data
- From: Xiaoguang Liu
- Re: [Ethereal-users] Re: decrypt Kerberos data
- References:
- [Ethereal-users] decrypt Kerberos data
- From: Xiaoguang Liu
- [Ethereal-users] decrypt Kerberos data
- Prev by Date: [Ethereal-users] Ethereal and the TCP stack
- Next by Date: Re: [Ethereal-users] Re: decrypt Kerberos data
- Previous by thread: Re: [Ethereal-users] decrypt Kerberos data
- Next by thread: Re: [Ethereal-users] Re: decrypt Kerberos data
- Index(es):