Difference between revisions of "Keytab Extraction"

From SambaWiki
Line 9: Line 9:
 
Then, to extract the keytab run
 
Then, to extract the keytab run
   
samba-tool export keytab PATH_TO_KEYTAB
+
samba-tool domain exportkeytab PATH_TO_KEYTAB
   
 
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.
 
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.
Line 17: Line 17:
 
To dump a keytab, join the domain and then run:
 
To dump a keytab, join the domain and then run:
   
net rpc vampire keytab /path/to/keytab/file
+
net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights
   
Note that the path to the keytab file needs to be an absolute path.
+
Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username

Revision as of 17:32, 20 January 2012

Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.

How to Extract a keytab containing your domain's passwords

There are two ways to obtain a keytab from an Active Directory Domain with Samba:

Using Samba4

To use samba4, it needs to be a domain controller for your domain. If it's not already the case check how to join Samba4 as domain controller.

Then, to extract the keytab run

samba-tool domain exportkeytab PATH_TO_KEYTAB

It will write out a keytab in PATH_TO_KEYTAB containing the current keys for every host and user.

Using Samba3

To dump a keytab, join the domain and then run:

net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights 

Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username