none
Decrypting Kerberos tickets RRS feed

  • Question

  • I'm doing a network capture using wireshark targeting some Kerberos traffic (ticket cache is flushed, then a request is made to a file server - thus generating the AS-REQ/AS-REP/TGS-REQ/TGS-REP sequences) and I'd like to see the encrypted parts of the tickets (eg timestamps used as authenticators). I've found http://i1.blogs.msdn.com/b/spatdsg/archive/2009/03/26/more-kerberos-fun-with-pac-s.aspx which is pretty straightforward. However, by doing the steps presented there, the encrypted part is never decrypted. Wireshark works just fine, because with its own samples, decoding works great (http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=krb-816.zip). So obviously there must be something wrong in the process. The client I'm using is a Windows 7, against a 2008 R2 DC. I tried exporting the keytab under different encryption formats (both RC4-HMAC-NT and AES256-SHA1) using my own principal name using ktpass, but neither worked. Could you help me figure out what's wrong ?


    Thursday, January 31, 2013 12:23 PM

All replies

  • Hi,

    What' the etype that encrypts the authenticator? i guess you should use that encryption type to create the keytab. Also what about ktexport tool? Does it work?

    Regards,

    Denny

    
    
    
    
    
    
    
    

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, February 20, 2013 2:12 PM