Hi all,
yesteraday I manage to see decrypted kerberos ticket in ethereal. It
is really cool. I final goal is to decrypted RPC call and dive into
the Active directory traffic. My first try failed. I attached the
trace and keytab file. Hope any one can provide some comments.
what I did was:
1. login as an domain administraor account, u5@xxxxxxxxxx, on a XP
client in the win2k3 domain
2. run "repadmin /showrepl /rpc" to create some rpc traffic between XP and DC.
in the trace, Kerberos decryption works pretty cool until frame 100.
In frame 101, the DSBIND call, kerberos blob data can be parserd but
DSBIND call data is still in encrypted format.
output of frame 101
============
....
Response in frame: 102
GSS-API Generic Security Service Application Program Interface
OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_blob: 020111001000FFFF36A6B0DD95CAE1657BA8AED46647AE43...
krb5_tok_id: KRB5_GSS_Wrap (0x0102)
krb5_sgn_alg: HMAC (0x0011)
krb5_seal_alg: RC4 (0x0010)
krb5_snd_seq: 36A6B0DD95CAE165
krb5_sgn_cksum: 7BA8AED46647AE43
krb5_confounder: BDFF205C7130BA30
DRSUAPI, DsBind
Operation: DsBind (0)
Encrypted stub data (112 bytes) <------[not decrypted]
Is ethereal able to decrypt the stub data of DSBIND or any MSRPC call?
Attachment:
showrepl.cap
Description: Binary data
Attachment:
817.keytab
Description: Binary data