Difference between revisions of "Keytab Extraction"

m (Online Keytab Creation from Machine Account Password)
(Using Samba4: add a way of getting a keytab without joining)
Line 5: Line 5:
 
==Using Samba4==
 
==Using Samba4==
  
To use samba4, it needs to be a domain controller for your domain. If it's not already the case check [[Join_an_additional_Samba_DC_to_an_existing_Active_Directory|how to join Samba4 as domain controller]].
+
To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.
  
Then, to extract the keytab run
+
Clone the DC:
  
  samba-tool domain exportkeytab PATH_TO_KEYTAB
+
    samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
 +
    samba-tool domain exportkeytab PATH_TO_KEYTAB --configfile=/tmp/foo/etc/smb.conf
 +
 
 +
If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See [[Join_an_additional_Samba_DC_to_an_existing_Active_Directory|how to join Samba4 as domain controller]], then run
 +
 
 +
    samba-tool domain exportkeytab PATH_TO_KEYTAB
  
 
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.
 
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.

Revision as of 01:51, 27 November 2015

Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.

How to Extract a keytab containing your domain's passwords

There are two ways to obtain a keytab from an Active Directory Domain with Samba:

Using Samba4

To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.

Clone the DC:

   samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
   samba-tool domain exportkeytab PATH_TO_KEYTAB  --configfile=/tmp/foo/etc/smb.conf

If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See how to join Samba4 as domain controller, then run

   samba-tool domain exportkeytab PATH_TO_KEYTAB

It will write out a keytab in PATH_TO_KEYTAB containing the current keys for every host and user.

Using Samba3

To dump a keytab, join the domain and then run:

net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights 

Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username

Online Keytab Creation from Machine Account Password

In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:

KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P

Offline Keytab Creation from Secrets.tdb

If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.

tdbdump secrets.tdb

Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero. Use the ktutil utility to construct the keytab:

ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  write_kt my.keytab
ktutil:  q

A less cumbersome way, using a Windows server is:

ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all