Keytab Extraction

Revision as of 13:34, 9 October 2016 by Mmuehlfeld (talk | contribs) (Fixed link)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.

How to Extract a keytab containing your domain's passwords

There are two ways to obtain a keytab from an Active Directory Domain with Samba:

Using Samba4

To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.

Clone the DC:

   samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER>
   samba-tool domain exportkeytab PATH_TO_KEYTAB  --configfile=/tmp/foo/etc/smb.conf

If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See how to join Samba4 as domain controller, then run

   samba-tool domain exportkeytab PATH_TO_KEYTAB

It will write out a keytab in PATH_TO_KEYTAB containing the current keys for every host and user.

Using Samba3

To dump a keytab, join the domain and then run:

net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights 

Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username

Online Keytab Creation from Machine Account Password

In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:

KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P

Offline Keytab Creation from Secrets.tdb

If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.

tdbdump secrets.tdb

Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero. Use the ktutil utility to construct the keytab:

ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1
Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>:
ktutil:  write_kt my.keytab
ktutil:  q

Keytab Creation on a Windows Server

A less cumbersome way, using a Windows server:

User account:

ktpass.exe /out my.keytab /pass <password> /princ <user>@<realm> /ptype KRB5_NT_PRINCIPAL /crypto all

Machine account:

ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all