0

I'm trying to decrypt kerberos traffic with wireshark for the learning purposes. My process of following:

  1. First I retrive keytab for the test user with kadmin
kadmin.local:  ktadd -k vdzh-fin.keytab vdzharkov@VDZHARKOV.NOVALOCAL
Entry for principal vdzharkov@VDZHARKOV.NOVALOCAL with kvno 15, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal vdzharkov@VDZHARKOV.NOVALOCAL with kvno 15, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal vdzharkov@VDZHARKOV.NOVALOCAL with kvno 15, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal vdzharkov@VDZHARKOV.NOVALOCAL with kvno 15, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal vdzharkov@VDZHARKOV.NOVALOCAL with kvno 15, encryption type camellia128-cts-cmac added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal vdzharkov@VDZHARKOV.NOVALOCAL with kvno 15, encryption type camellia256-cts-cmac added to keytab WRFILE:vdzh-fin.keytab.
kadmin.local:  get_principal vdzharkov
Principal: vdzharkov@VDZHARKOV.NOVALOCAL
Expiration date: [never]
Last password change: Thu Apr 06 22:45:50 +10 2023
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Apr 06 22:45:50 +10 2023 (vdzharkov/admin@VDZHARKOV.NOVALOCAL)

kadmin.local:  get_principal vdzharkov
Principal: vdzharkov@VDZHARKOV.NOVALOCAL
Expiration date: [never]
Last password change: Thu Apr 06 22:45:50 +10 2023
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Apr 06 22:45:50 +10 2023 (vdzharkov/admin@VDZHARKOV.NOVALOCAL)
Last successful authentication: [never]
Last failed authentication: Thu Apr 06 22:47:23 +10 2023
Failed password attempts: 0
Number of keys: 6
Key: vno 15, aes256-cts-hmac-sha1-96
Key: vno 15, aes128-cts-hmac-sha1-96
Key: vno 15, aes128-cts-hmac-sha256-128
Key: vno 15, aes256-cts-hmac-sha384-192
Key: vno 15, camellia128-cts-cmac
Key: vno 15, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH

I guess it randomizes keys in keytab and incrementing kvno, but then, I'm authenticating with this keytab.

In second tab I'm starting tcpdump:

vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ sudo tcpdump host 192.168.5.19 -w fin.pcap

Then I authenticate:

vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ kdestroy -A
vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ kinit -kt vdzh-fin.keytab vdzharkov

After that I'm trying to decrypt the enc-part of the AS_REP, but to no success:

vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ tshark -r fin.pcap -K vdzh-fin.keytab -w finout.pcap

Kerberos
    Record Mark: 1770 bytes
    as-rep
        pvno: 5
        msg-type: krb-as-rep (11)
        crealm: VDZHARKOV.NOVALOCAL
        cname
        ticket
        enc-part
            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
            cipher: 48763e28028495b2099f5ea12559a35e4d0e2fe77026db4c8bf1f5772ba388198294cdb1…
    Missing keytype 18 usage 2 missing in frame 16 keytype 18 (id=missing.1 same=0) (00000000...)
    Missing keytype 18 usage 3 missing in frame 16 keytype 18 (id=missing.2 same=0) (00000000...)

I also tried the same via wireshark gui with Preferences -> Protocols -> KRB5, then checked all options and supplied the keytab file, but to no effect.

Versions:
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Funnily enough I can decrypt the TGT with krbtgt principal keytab:

as-rep
    pvno: 5
    msg-type: krb-as-rep (11)
    crealm: VDZHARKOV.NOVALOCAL
    cname
    ticket
        tkt-vno: 5
        realm: VDZHARKOV.NOVALOCAL
        sname
        enc-part
            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
            kvno: 5
            cipher: 10cc6398a0b5131703c525077d36e4149524d224630ae49d30d21ff02db8654b1ce12091…
                Decrypted keytype 18 usage 2 using keytab principal krbtgt/VDZHARKOV.NOVALOCAL@VDZHARKOV.NOVALOCAL (id=keytab.7 same=0) (26a828a4...)
                encTicketPart
                    Padding: 0
                    flags: 40610000
                    key
                        Learnt encTicketPart_key keytype 18 (id=16.1) (a403a03e...)
                        keytype: 18
                        keyvalue: a403a03e56fc3a3c1b358dd1879fab436f34917a444ec3b2490e50cb40d660f9
                    crealm: VDZHARKOV.NOVALOCAL
                    cname
                    transited
                    authtime: 2023-04-06 12:49:34 (UTC)
                    endtime: 2023-04-07 12:21:55 (UTC)
                    authorization-data: 3 items
    enc-part
        etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
        cipher: 48763e28028495b2099f5ea12559a35e4d0e2fe77026db4c8bf1f5772ba388198294cdb1…

So I have two questions:

  1. Am I doing something wrong?
  2. Maybe there are some library alternatives to try to decrypt kerberos encrypted blobs captured with wireshark?
vudex
  • 1
  • 1

0 Answers0