Spat's WebLog (Steve Patrick)

When things go wrong...

More Kerberos fun with PAC’s- decrypt the PAC

More Kerberos fun with PAC’s- decrypt the PAC

Rate This
  • Comments 5

I had been meaning to blog about this for a while, and recently was teaching a class when a friend of mine looked into the exact steps and issues – thanks Woody.

It may be interesting to peek into the PAC every once in a while and make sure everything is OK. Yaknow – like a long lost cousin. See http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx  for more info on PAC data

This is good for labs – not so much for production. But here goes.

It’s laid out here: http://wiki.wireshark.org/Kerberos

1. Download the ktexport utility - http://www.ioplex.com/utilities/

2. Run it on your DC against LSASS.EXE’s PID

3. C:\TEMP\ktexport.exe 376

4. It will create a file called sam.keytab

5. Create a directory called c:\temp

6. Copy sam.keytab to c:\temp.

7. Copy the wireshark trace to c:\temp

8. Open the trace in wireshark

Go to Edit -> Preferences:

clip_image002

Enabled the ability to decrypt the blobs.

Specify the sam.keytab file – no path info as it does not seem to like it. ( for example c:\temp\sam.keytab does NOT work )

clip_image004

Now – I have found I need to restart Wireshark sometimes, but check your kerb data – like an AS_REP packet and you should see:

  AuthorizationData AD-IF-RELEVANT

                        Type: AD-IF-RELEVANT (1)

                        Data: 308202D2308202CEA00402020080A18202C4048202C00400...

                            IF_RELEVANT AD-Win2k-PAC

                                Type: AD-Win2k-PAC (128)

                                Data: 040000000000000001000000300200004800000000000000...

                                    Num Entries: 4

                                    Version: 0

                                    Type: Logon Info (1)

                                        Size: 560

                                        Offset: 72

                                      PAC_LOGON_INFO: 01100800CCCCCCCC200200000000000000000200C0C1160B...

                                            unknown MIDL blob

                                                Unknown: 0x00081001

                                                Unknown: 0xcccccccc

                                                Blob Length: 544

                                                Unknown: 0x00000000

                                            PAC_LOGON_INFO:

                                                Referent ID: 0x00020000

                                                Logon Time: Mar 25, 2009 16:25:54.415046400

                                                Logoff Time: Infinity (absolute time)

                                                Kickoff Time: Infinity (absolute time)

                                                PWD Last Set: Mar 18, 2009 12:31:33.473204800

                                                PWD Can Change: Mar 19, 2009 12:31:33.473204800

                                                PWD Must Change: Apr 30, 2009 11:19:05.216948800

                                                Acct Name: shannon

                                                    Length: 14

                                                    Size: 14

                                                    Character Array: shannon

                                                        Referent ID: 0x00020004

                                                        Max Count: 7

                                                        Offset: 0

                                                        Actual Count: 7

                                                        Acct Name: shannon

                                                Full Name: shannon

                                                    Length: 14

                                                    Size: 14

                                                    Character Array: shannon

                                                        Referent ID: 0x00020008

                                                        Max Count: 7

                                                        Offset: 0

                                                        Actual Count: 7

                                                        Full Name: shannon

                                                Logon Script

                                                    Length: 0

                                                    Size: 0

                                                    Character Array

                                                        Referent ID: 0x0002000c

                                                        Max Count: 0

                                                        Offset: 0

                                                        Actual Count: 0

                                                Profile Path

                                                    Length: 0

                                                    Size: 0

                                                    Character Array

                                                        Referent ID: 0x00020010

 

Have fun!

Spat

 

 

OK so some folks have let me know that Ktexport crashes LSASS.EXE - obviously no fun.

So here is what I tested:

I installed WindowsServer2003-KB843071-x86-enu.exe from "Ktpass.exe may not create a Kerberos keytab file successfully when you use the /target switch and the /mapuser switch on a Windows Server 2003-based computer or on a Windows 2000-based computer"

  • In this case the user's UPN is Shannon@mil
  • The users samAccountName is  Shannon
  • The users password is Password.
  • The users domain is request132027.local

I ran the following:

 

C:\TEMP>ktpass.exe /out shannon.keytab /princ shannon@MIL /crypto RC4-HMAC /pass Password /ptype KRB5_NT_PRINCIPAL

Key created.

Output keytab to shannon.keytab:

Keytab version: 0x502

keysize 45 shannon@MIL ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x76756bad6a045177f68d583c1152e3c5)

I used this keytab in wireshark:

clip_image002[1]

Seemed to work out OK.  If you were doing it for a machine it would not work since you don't know the machine password .. I have not tried setting the password etc..

spat

 

 

 

Leave a Comment
  • Please add 5 and 7 and type the answer here:
  • Post
  • Any known issues with running ktexport on VMs? Specifically, VMWare? Every time I run it, lsass crashes forcing a reboot.

  • Quite possibly.. I have added info on how to do it with KTPASS - assuming you know the users password.  BTW Dom - do you know Tad?

    spat

  • Thanks for the additional info. Yeah, I know Tad; we recently just helped each other overcome a few IAG issues.

    FYI, we have narrowed down the ktexport problems; the ONLY time it worked successfully was on a Win2003 DC (NOT R2). The fact that all of the DCs we tried it on were VMs ended up being a red herring; we tried on several different patch levels before we realized what was up.

    Thanks!

    -Dom

  • Ha!  I just saw this blog.  You're welcome.  ;)  Thanks for blogging it!  :)

  • hi there - the area in the gui doesnt exist anymore and i cant get the command line to work - any ideas ?

Page 1 of 1 (5 items)