Keytab Extraction

Revision as of 14:49, 19 June 2011 by Ekacnet (talk | contribs)

Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.

How to Extract a keytab containing your domain's passwords

There are two ways to obtain a keytab from an Active Directory Domain with Samba:

Using Samba4

To use samba4, it needs to be a domain controller for your domain. If it's not the case check how to join Samba4 as domain controller

net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator

Or, for a recent GIT checkout (later than 2010/10/23):

samba-tool vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator

If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:

[libdefaults]
dns_lookup_kdc = true

Then, to extract the keytab run

net export keytab PATH_TO_KEYAB

or:

samba-tool export keytab PATH_TO_KEYAB

It will write out a keytab in the path specified, containing the current keys for every host.

Samba3

To dump a keytab, join the domain and then run:

net rpc vampire keytab /path/to/keytab/file

Note that the path to the keytab file needs to be an absolute path.