# Decoding Kerberos traffic with keytab file

Hi All,

I'm working on an assignment where i need to analyze PCAP file. I have identified the last piece of puzzle being in a WinRM/WSMan traffic which is Kerberos authenticated.

I did some research and found out that the kerberos traffic can be decrypted with keytab.file and i have found the user's password in the file so i should be able to create keytab file.

Based on the information found in the PCAP i've created keytab.file with ktutil and added it to wireshark - but i still cannot see anything

ktutil commands:

    ktutil:  addent -password -p <username>@ACME.LOCAL -k 3 -e aes256-cts-hmac-sha1-96
ktutil:  quit


ID Details from PCAP:

    Authentication Id : 0 ; 187585 (00000000:0002dcc1)
Session           : Interactive from 1
User Name         : <username>
Domain            : ACME
Logon Server      : DC
Logon Time        : 15.2.2018 15:51:58
SID               : S-1-5-21-3343427526-137776028-1300499595-5683
msv :

[00010000] CredentialKeys

* NTLM     : 6c42d7d30d96211dc1501fa404799e69

* SHA1     : 288147eb368667ab119c33261155c3c601ca100a

[00000003] Primary
* Domain   : ACME
* NTLM     : 6c42d7d30d96211dc1501fa404799e69
* SHA1     : 288147eb368667ab119c33261155c3c601ca100a
tspkg :
wdigest :
* Domain   : ACME
kerberos :
* Domain   : ACME.LOCAL
* Password : (null)
ssp :
credman :


And here is the screenshot of the kerberos part of the packet i would like to decrypt: https://ibb.co/guRBCH (cant upload since low points)

So, few questions:

1) Is this even possible - i read that WinRM negotiates with AES256 when kerberos authentication is detected - so i guess the traffic itself shouldn't be decrypted but the krb5 blob should?

2) I'm targeting the correct Kerberos-ticket - in the PCAP all identifiers in frames seem to be destinations IDs, so how to identify what is the Kerberos traffic authenticated by the compromised username?

3) Is the keytab file created correct - i've tried with both ACME and ACME.LOCAL as well as lowercase version but i cant see any information revelead in blobs

4) Is there way to debug if any traffic is successfully decrypted by the keytab file in Wire/Tshark ?

Thanks in advance and sorry if i'm asking stupid questions :)

edit retag close merge delete