Keytab Extraction: Difference between revisions
(→Samba4: Mention samba-tool for recent s4.) |
No edit summary |
||
Line 1: | Line 1: | ||
Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange. |
|||
=How to Extract a keytab containing your domain's passwords= |
=How to Extract a keytab containing your domain's passwords= |
||
The keytab, a standard format for the storage of Kerberos keys, is also the input required by Wireshark to decrypt encrypted traffic |
The keytab, a standard format for the storage of Kerberos keys, is also the input required by Wireshark to decrypt encrypted traffic |
Revision as of 14:34, 19 June 2011
Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.
How to Extract a keytab containing your domain's passwords
The keytab, a standard format for the storage of Kerberos keys, is also the input required by Wireshark to decrypt encrypted traffic
There are two ways to obtain a keytab from a Windows domain, with Samba:
Samba4
To join the domain, run:
net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator
Or, for a recent GIT checkout (later than 2010/10/23):
samba-tool vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator
If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:
[libdefaults] dns_lookup_kdc = true
Then, to extract the keytab run
net export keytab PATH_TO_KEYAB
or:
samba-tool export keytab PATH_TO_KEYAB
It will write out a keytab in the path specified, containing the current keys for every host.
Samba3
To dump a keytab, join the domain and then run:
net rpc vampire keytab /path/to/keytab/file
Note that the path to the keytab file needs to be an absolute path.