More Kerberos fun with PAC’s- decrypt the PAC
I had been meaning to blog about this for a while, and recently was teaching a class when a friend of mine looked into the exact steps and issues – thanks Woody.
It may be interesting to peek into the PAC every once in a while and make sure everything is OK. Yaknow – like a long lost cousin. See http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx for more info on PAC data
This is good for labs – not so much for production. But here goes.
It’s laid out here: http://wiki.wireshark.org/Kerberos
1. Download the ktexport utility - http://www.ioplex.com/utilities/
2. Run it on your DC against LSASS.EXE’s PID
3. C:\TEMP\ktexport.exe 376
4. It will create a file called sam.keytab
5. Create a directory called c:\temp
6. Copy sam.keytab to c:\temp.
7. Copy the wireshark trace to c:\temp
8. Open the trace in wireshark
Go to Edit -> Preferences:
Enabled the ability to decrypt the blobs.
Specify the sam.keytab file – no path info as it does not seem to like it. ( for example c:\temp\sam.keytab does NOT work )
Now – I have found I need to restart Wireshark sometimes, but check your kerb data – like an AS_REP packet and you should see:
AuthorizationData AD-IF-RELEVANT
Type: AD-IF-RELEVANT (1)
Data: 308202D2308202CEA00402020080A18202C4048202C00400...
IF_RELEVANT AD-Win2k-PAC
Type: AD-Win2k-PAC (128)
Data: 040000000000000001000000300200004800000000000000...
Num Entries: 4
Version: 0
Type: Logon Info (1)
Size: 560
Offset: 72
PAC_LOGON_INFO: 01100800CCCCCCCC200200000000000000000200C0C1160B...
unknown MIDL blob
Unknown: 0x00081001
Unknown: 0xcccccccc
Blob Length: 544
Unknown: 0x00000000
PAC_LOGON_INFO:
Referent ID: 0x00020000
Logon Time: Mar 25, 2009 16:25:54.415046400
Logoff Time: Infinity (absolute time)
Kickoff Time: Infinity (absolute time)
PWD Last Set: Mar 18, 2009 12:31:33.473204800
PWD Can Change: Mar 19, 2009 12:31:33.473204800
PWD Must Change: Apr 30, 2009 11:19:05.216948800
Acct Name: shannon
Length: 14
Size: 14
Character Array: shannon
Referent ID: 0x00020004
Max Count: 7
Offset: 0
Actual Count: 7
Acct Name: shannon
Full Name: shannon
Length: 14
Size: 14
Character Array: shannon
Referent ID: 0x00020008
Max Count: 7
Offset: 0
Actual Count: 7
Full Name: shannon
Logon Script
Length: 0
Size: 0
Character Array
Referent ID: 0x0002000c
Max Count: 0
Offset: 0
Actual Count: 0
Profile Path
Length: 0
Size: 0
Character Array
Referent ID: 0x00020010
Have fun!
Spat
OK so some folks have let me know that Ktexport crashes LSASS.EXE - obviously no fun.
So here is what I tested:
I installed WindowsServer2003-KB843071-x86-enu.exe from "Ktpass.exe may not create a Kerberos keytab file successfully when you use the /target switch and the /mapuser switch on a Windows Server 2003-based computer or on a Windows 2000-based computer"
-
-
The users samAccountName is Shannon
-
The users password is Password.
-
The users domain is request132027.local
I ran the following:
C:\TEMP>ktpass.exe /out shannon.keytab /princ shannon@MIL /crypto RC4-HMAC /pass Password /ptype KRB5_NT_PRINCIPAL
Key created.
Output keytab to shannon.keytab:
Keytab version: 0x502
keysize 45 shannon@MIL ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x76756bad6a045177f68d583c1152e3c5)
I used this keytab in wireshark:
![clip_image002[1]](http://blogs.msdn.com/blogfiles/spatdsg/WindowsLiveWriter/MoreKerberosfunwithPACs_F853/clip_image002%5B1%5D_thumb.jpg)
Seemed to work out OK. If you were doing it for a machine it would not work since you don't know the machine password .. I have not tried setting the password etc..
spat
