I will look at the traces tonight when i get home.
Ethereal is able to decrypt DCE/RPC that is wrapped inside GSS-KRB
HOWEVER: this ONLY works for rc4-hmac and even for rc4-hmac there is
something wrong with the code in that decryption only works
approximately ~50% of the time :-(
Since myself is only ever really interested in the content of the
ticket itself i havent really put very much priority in trying to
find out what is wrong here or implement things like des...
On 8/18/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:
> Hi all,
>
> yesteraday I manage to see decrypted kerberos ticket in ethereal. It
> is really cool. I final goal is to decrypted RPC call and dive into
> the Active directory traffic. My first try failed. I attached the
> trace and keytab file. Hope any one can provide some comments.
>
> what I did was:
> 1. login as an domain administraor account, u5@xxxxxxxxxx, on a XP
> client in the win2k3 domain
> 2. run "repadmin /showrepl /rpc" to create some rpc traffic between XP and DC.
>
> in the trace, Kerberos decryption works pretty cool until frame 100.
> In frame 101, the DSBIND call, kerberos blob data can be parserd but
> DSBIND call data is still in encrypted format.
>
> output of frame 101
> ============
> ....
> Response in frame: 102
> GSS-API Generic Security Service Application Program Interface
> OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
> krb5_blob: 020111001000FFFF36A6B0DD95CAE1657BA8AED46647AE43...
> krb5_tok_id: KRB5_GSS_Wrap (0x0102)
> krb5_sgn_alg: HMAC (0x0011)
> krb5_seal_alg: RC4 (0x0010)
> krb5_snd_seq: 36A6B0DD95CAE165
> krb5_sgn_cksum: 7BA8AED46647AE43
> krb5_confounder: BDFF205C7130BA30
> DRSUAPI, DsBind
> Operation: DsBind (0)
> Encrypted stub data (112 bytes) <------[not decrypted]
>
>
> Is ethereal able to decrypt the stub data of DSBIND or any MSRPC call?
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
>
>