Difference between revisions of "Keytab Extraction"

From SambaWiki
m (Fixed link)
 
(12 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.
+
Once you have [[Capture Packets|captured packets]] you can use Wireshark to [[Wireshark Keytab|analyze]] them in many case decryption of traffic is needed in order to analyze correctly an exchange.
   
=How to Extract a keytab containing your domain's passwords=
+
= How to Extract a keytab containing your domain's passwords =
 
There are two ways to obtain a keytab from an Active Directory Domain with Samba:
The keytab, a standard format for the storage of Kerberos keys, is also the input required by Wireshark to decrypt encrypted traffic
 
 
==Using Samba4==
   
  +
To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.
There are two ways to obtain a keytab from a Windows domain, with Samba:
 
==Samba4==
 
   
To join the domain, run:
+
Clone the DC:
   
  +
samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator
 
  +
samba-tool domain exportkeytab PATH_TO_KEYTAB --configfile=/tmp/foo/etc/smb.conf
   
  +
If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See [[Joining_a_Samba_DC_to_an_Existing_Active_Directory|how to join Samba4 as domain controller]], then run
Or, for a recent GIT checkout (later than 2010/10/23):
 
   
  +
samba-tool domain exportkeytab PATH_TO_KEYTAB
samba-tool vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator
 
   
 
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.
If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:
 
   
 
==Using Samba3==
[libdefaults]
 
dns_lookup_kdc = true
 
   
 
To dump a keytab, join the domain and then run:
Then, to extract the keytab run
 
   
 
net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights
net export keytab PATH_TO_KEYAB
 
   
 
Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username
or:
 
   
  +
=Online Keytab Creation from Machine Account Password=
samba-tool export keytab PATH_TO_KEYAB
 
  +
In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:
  +
KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P
   
  +
=Offline Keytab Creation from Secrets.tdb=
It will write out a keytab in the path specified, containing the current keys for every host.
 
  +
If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.
  +
tdbdump secrets.tdb
  +
Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero.
  +
Use the '''ktutil''' utility to construct the keytab:
  +
ktutil: add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1
  +
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
  +
ktutil: add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1
  +
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
  +
ktutil: write_kt my.keytab
  +
ktutil: q
   
  +
=Keytab Creation on a Windows Server=
==Samba3==
 
  +
A less cumbersome way, using a Windows server:
 
To dump a keytab, join the domain and then run:
 
   
  +
User account:
net rpc vampire keytab /path/to/keytab/file
 
  +
ktpass.exe /out my.keytab /pass <password> /princ <user>@<realm> /ptype KRB5_NT_PRINCIPAL /crypto all
   
  +
Machine account:
Note that the path to the keytab file needs to be an absolute path.
 
  +
ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all

Latest revision as of 13:34, 9 October 2016

Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.

How to Extract a keytab containing your domain's passwords

There are two ways to obtain a keytab from an Active Directory Domain with Samba:

Using Samba4

To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.

Clone the DC:

   samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
   samba-tool domain exportkeytab PATH_TO_KEYTAB  --configfile=/tmp/foo/etc/smb.conf

If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See how to join Samba4 as domain controller, then run

   samba-tool domain exportkeytab PATH_TO_KEYTAB

It will write out a keytab in PATH_TO_KEYTAB containing the current keys for every host and user.

Using Samba3

To dump a keytab, join the domain and then run:

net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights 

Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username

Online Keytab Creation from Machine Account Password

In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:

KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P

Offline Keytab Creation from Secrets.tdb

If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.

tdbdump secrets.tdb

Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero. Use the ktutil utility to construct the keytab:

ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  write_kt my.keytab
ktutil:  q

Keytab Creation on a Windows Server

A less cumbersome way, using a Windows server:

User account:

ktpass.exe /out my.keytab /pass <password> /princ <user>@<realm> /ptype KRB5_NT_PRINCIPAL /crypto all

Machine account:

ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all