Ethereal-users: Re: [Ethereal-users] Kerberos and encrypted DCE/RPC

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Xiaoguang Liu <syslxg@xxxxxxxxx>
Date: Thu, 18 Aug 2005 12:12:15 +0800
Hi Ronnie,

Thank you for your help again.
bwt, when I use 817.keytab and showrepl.cap together, my ethereal
crashed. If it happens to you too, you can use 816.key of yesterday.

the difference between 817.keytab and 816.key is, 817 has an extra
key: krbtgt@xxxxxxxxxx.

Another question, if I provide key for krbtgt@realm in keytab file,
can ethereal decrypt TGT in the AS-REP? please refer to the trace in
last email, frame 7.

frame 7
========
    Ticket
        Tkt-vno: 5
        Realm: DENYDC.COM
        Server Name (Service and Instance): krbtgt/DENYDC.COM
        enc-part rc4-hmac
            Encryption type: rc4-hmac (23)
            Kvno: 2
            enc-part: 9A83F5821211........ <<-------------------------
This part, I mean
    enc-part rc4-hmac
        Encryption type: rc4-hmac (23)
        Kvno: 7
        enc-part: E6CFF54BD9AA4DD27F6EED0CB747FD13A1A5720D5A722AE5...
            [Decrypted using: keytab principal u5@xxxxxxxxxx]
            EncKDCRepPart


On 8/18/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> I will look at the traces tonight when i get home.
> 
> 
> Ethereal is able to decrypt DCE/RPC  that is wrapped inside GSS-KRB
> 
> HOWEVER: this ONLY works for rc4-hmac  and even for rc4-hmac  there is
> something wrong with the code in that decryption only works
> approximately ~50% of the time :-(
> 
> Since myself is only ever really interested in the content of the
> ticket itself  i havent really put very much priority in trying to
> find out what is wrong here  or implement things like des...
> 
> 
> 
> On 8/18/05, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:
> > Hi all,
> >
> > yesteraday I manage to see decrypted kerberos ticket in ethereal. It
> > is really cool. I final goal is to decrypted RPC call and dive into
> > the Active directory traffic. My first try failed. I attached the
> > trace and keytab file. Hope any one can provide some comments.
> >
> > what I did was:
> > 1. login as an domain administraor account, u5@xxxxxxxxxx, on a XP
> > client in the win2k3 domain
> > 2. run "repadmin /showrepl /rpc" to create some rpc traffic between XP and DC.
> >
> > in the trace, Kerberos decryption works pretty cool until frame 100.
> > In frame 101, the DSBIND call, kerberos blob data can be parserd but
> > DSBIND call data is still in encrypted format.
> >
> > output of frame 101
> > ============
> >     ....
> >     Response in frame: 102
> >     GSS-API Generic Security Service Application Program Interface
> >         OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
> >         krb5_blob: 020111001000FFFF36A6B0DD95CAE1657BA8AED46647AE43...
> >             krb5_tok_id: KRB5_GSS_Wrap (0x0102)
> >             krb5_sgn_alg: HMAC (0x0011)
> >             krb5_seal_alg: RC4 (0x0010)
> >             krb5_snd_seq: 36A6B0DD95CAE165
> >             krb5_sgn_cksum: 7BA8AED46647AE43
> >             krb5_confounder: BDFF205C7130BA30
> > DRSUAPI, DsBind
> >     Operation: DsBind (0)
> >     Encrypted stub data (112 bytes)  <------[not decrypted]
> >
> >
> > Is ethereal able to decrypt the stub data of DSBIND or any MSRPC call?
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
> >
> >
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>