Difference between revisions of "Keytab Extraction"

(Samba3: Fix keytab extraction instructions.)
m (Fixed link)
 
(14 intermediate revisions by 6 users not shown)
Line 1: Line 1:
=How to Extract a keytab containing your domain's passwords=
+
Once you have [[Capture Packets|captured packets]] you can use Wireshark to [[Wireshark Keytab|analyze]] them in many case decryption of traffic is needed in order to analyze correctly an exchange.
The keytab, a standard format for the storage of Kerberos keys, is also the input required by Wireshark to decrypt encrypted traffic
 
  
There are two ways to obtain a keytab from a Windows domain, with Samba:
+
= How to Extract a keytab containing your domain's passwords =
==Samba4==
+
There are two ways to obtain a keytab from an Active Directory Domain with Samba:
 +
==Using Samba4==
  
To join the domain, run:
+
To use samba4, it needs a copy of the domain database.  If it is already a domain controller for your domain, then you don't need this next step.
  
net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator
+
Clone the DC:
  
If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:
+
    samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
 +
    samba-tool domain exportkeytab PATH_TO_KEYTAB --configfile=/tmp/foo/etc/smb.conf
  
[libdefaults]
+
If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See [[Joining_a_Samba_DC_to_an_Existing_Active_Directory|how to join Samba4 as domain controller]], then run
dns_lookup_kdc = true
 
  
Then, to extract the keytab run
+
    samba-tool domain exportkeytab PATH_TO_KEYTAB
  
net export keytab PATH_TO_KEYAB
+
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.
  
It will write out a keytab in the path specified, containing the current keys for every host.
+
==Using Samba3==
  
==Samba3==
+
To dump a keytab, join the domain and then run:
 +
 
 +
net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights
 +
 
 +
Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username
 +
 
 +
=Online Keytab Creation from Machine Account Password=
 +
In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:
 +
KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P
  
To dump a keytab, join the domain and then run:
+
=Offline Keytab Creation from Secrets.tdb=
 +
If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.
 +
tdbdump secrets.tdb
 +
Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero.
 +
Use the '''ktutil''' utility to construct the keytab:
 +
ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1
 +
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
 +
ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1
 +
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
 +
ktutil:  write_kt my.keytab
 +
ktutil:  q
 +
 
 +
=Keytab Creation on a Windows Server=
 +
A less cumbersome way, using a Windows server:
  
  net rpc vampire keytab /path/to/keytab/file
+
User account:
 +
  ktpass.exe /out my.keytab /pass <password> /princ <user>@<realm> /ptype KRB5_NT_PRINCIPAL /crypto all
  
Note that the path to the keytab file needs to be an absolute path.
+
Machine account:
 +
ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all

Latest revision as of 13:34, 9 October 2016

Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.

How to Extract a keytab containing your domain's passwords

There are two ways to obtain a keytab from an Active Directory Domain with Samba:

Using Samba4

To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.

Clone the DC:

   samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
   samba-tool domain exportkeytab PATH_TO_KEYTAB  --configfile=/tmp/foo/etc/smb.conf

If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See how to join Samba4 as domain controller, then run

   samba-tool domain exportkeytab PATH_TO_KEYTAB

It will write out a keytab in PATH_TO_KEYTAB containing the current keys for every host and user.

Using Samba3

To dump a keytab, join the domain and then run:

net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights 

Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username

Online Keytab Creation from Machine Account Password

In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:

KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P

Offline Keytab Creation from Secrets.tdb

If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.

tdbdump secrets.tdb

Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero. Use the ktutil utility to construct the keytab:

ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  write_kt my.keytab
ktutil:  q

Keytab Creation on a Windows Server

A less cumbersome way, using a Windows server:

User account:

ktpass.exe /out my.keytab /pass <password> /princ <user>@<realm> /ptype KRB5_NT_PRINCIPAL /crypto all

Machine account:

ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all