Decoding Kerberos traffic with keytab file

asked 2018-04-11 11:06:32 +0000

jsj gravatar image

Hi All,

I'm working on an assignment where i need to analyze PCAP file. I have identified the last piece of puzzle being in a WinRM/WSMan traffic which is Kerberos authenticated.

I did some research and found out that the kerberos traffic can be decrypted with keytab.file and i have found the user's password in the file so i should be able to create keytab file.

Based on the information found in the PCAP i've created keytab.file with ktutil and added it to wireshark - but i still cannot see anything

ktutil commands:

    ktutil:  addent -password -p <username>@ACME.LOCAL -k 3 -e aes256-cts-hmac-sha1-96
    Password for <username>@ACME.LOCAL:
    ktutil:  wkt username.keytab
    ktutil:  quit

ID Details from PCAP:

    Authentication Id : 0 ; 187585 (00000000:0002dcc1)
    Session           : Interactive from 1
    User Name         : <username>
    Domain            : ACME
    Logon Server      : DC
    Logon Time        : 15.2.2018 15:51:58
    SID               : S-1-5-21-3343427526-137776028-1300499595-5683
    msv :

     [00010000] CredentialKeys

     * NTLM     : 6c42d7d30d96211dc1501fa404799e69

     * SHA1     : 288147eb368667ab119c33261155c3c601ca100a

     [00000003] Primary
     * Username : <username>
     * Domain   : ACME
     * NTLM     : 6c42d7d30d96211dc1501fa404799e69
     * SHA1     : 288147eb368667ab119c33261155c3c601ca100a
    tspkg :
    wdigest :
     * Username : <username>
     * Domain   : ACME
     * Password : <password>                  #acquired password
    kerberos :
     * Username : <username>
     * Domain   : ACME.LOCAL
     * Password : (null)
    ssp :
    credman :

And here is the screenshot of the kerberos part of the packet i would like to decrypt: (cant upload since low points)

So, few questions:

1) Is this even possible - i read that WinRM negotiates with AES256 when kerberos authentication is detected - so i guess the traffic itself shouldn't be decrypted but the krb5 blob should?

2) I'm targeting the correct Kerberos-ticket - in the PCAP all identifiers in frames seem to be destinations IDs, so how to identify what is the Kerberos traffic authenticated by the compromised username?

3) Is the keytab file created correct - i've tried with both ACME and ACME.LOCAL as well as lowercase version but i cant see any information revelead in blobs

4) Is there way to debug if any traffic is successfully decrypted by the keytab file in Wire/Tshark ?

Thanks in advance and sorry if i'm asking stupid questions :)

edit retag flag offensive close merge delete