Difference between revisions of "Keytab Extraction"

m (Online Keytab Creation from Machine Account Password)
m (Fixed link)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.
+
Once you have [[Capture Packets|captured packets]] you can use Wireshark to [[Wireshark Keytab|analyze]] them in many case decryption of traffic is needed in order to analyze correctly an exchange.
  
== How to Extract a keytab containing your domain's passwords ==
+
= How to Extract a keytab containing your domain's passwords =
 
There are two ways to obtain a keytab from an Active Directory Domain with Samba:
 
There are two ways to obtain a keytab from an Active Directory Domain with Samba:
 
==Using Samba4==
 
==Using Samba4==
  
To use samba4, it needs to be a domain controller for your domain. If it's not already the case check [[Join_an_additional_Samba_DC_to_an_existing_Active_Directory|how to join Samba4 as domain controller]].
+
To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.
  
Then, to extract the keytab run
+
Clone the DC:
  
  samba-tool domain exportkeytab PATH_TO_KEYTAB
+
    samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
 +
    samba-tool domain exportkeytab PATH_TO_KEYTAB --configfile=/tmp/foo/etc/smb.conf
 +
 
 +
If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See [[Joining_a_Samba_DC_to_an_Existing_Active_Directory|how to join Samba4 as domain controller]], then run
 +
 
 +
    samba-tool domain exportkeytab PATH_TO_KEYTAB
  
 
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.
 
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.
Line 21: Line 26:
 
Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username
 
Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username
  
==Online Keytab Creation from Machine Account Password==
+
=Online Keytab Creation from Machine Account Password=
 
In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:
 
In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:
 
  KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P
 
  KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P
  
==Offline Keytab Creation from Secrets.tdb==
+
=Offline Keytab Creation from Secrets.tdb=
 
If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.
 
If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.
 
  tdbdump secrets.tdb
 
  tdbdump secrets.tdb
Line 37: Line 42:
 
  ktutil:  q
 
  ktutil:  q
  
A less cumbersome way, using a Windows server is:
+
=Keytab Creation on a Windows Server=
 +
A less cumbersome way, using a Windows server:
 +
 
 +
User account:
 +
ktpass.exe /out my.keytab /pass <password> /princ <user>@<realm> /ptype KRB5_NT_PRINCIPAL /crypto all
 +
 
 +
Machine account:
 
  ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all
 
  ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all

Latest revision as of 13:34, 9 October 2016

Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.

How to Extract a keytab containing your domain's passwords

There are two ways to obtain a keytab from an Active Directory Domain with Samba:

Using Samba4

To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.

Clone the DC:

   samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
   samba-tool domain exportkeytab PATH_TO_KEYTAB  --configfile=/tmp/foo/etc/smb.conf

If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See how to join Samba4 as domain controller, then run

   samba-tool domain exportkeytab PATH_TO_KEYTAB

It will write out a keytab in PATH_TO_KEYTAB containing the current keys for every host and user.

Using Samba3

To dump a keytab, join the domain and then run:

net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights 

Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username

Online Keytab Creation from Machine Account Password

In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:

KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P

Offline Keytab Creation from Secrets.tdb

If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.

tdbdump secrets.tdb

Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero. Use the ktutil utility to construct the keytab:

ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  write_kt my.keytab
ktutil:  q

Keytab Creation on a Windows Server

A less cumbersome way, using a Windows server:

User account:

ktpass.exe /out my.keytab /pass <password> /princ <user>@<realm> /ptype KRB5_NT_PRINCIPAL /crypto all

Machine account:

ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all