Kerberos

Kerberos is a service that provides mutual authentication between users and services in a network. It is popular both in Unix and Windows (Active Directory) environments.

History

Initially Kerberos was developed and deployed as part of the Athena project. This version of the Kerberos service and protocol was version 4. While Kerberos v4 still has limited use in AFS environments, it has largely been replaced by Kerberos v5 in all other environments.

There is no official specification for Kerberos v4 but Wireshark does support the "original" version of this protocol. Wireshark also has limited support for some extensions to Kerberos v4 which Transarc introduced for their AFS implementation.

Kerberos 5 is fully standardized and many implementations exist today. The most common implementations are Heimdal Kerberos, MIT Kerberos and Microsofts implementation used in W2K and later.

Kerberos was initially developed as a pure authentication system but is today also used to provide a transport for authorization data as well using extensions such as PKINIT/X.509 and Microsoft PAC structures.

Protocol dependencies

Example traffic

Wireshark

The Kerberos dissector is fully functional and can if compiled and linked with either Heimdal or MIT kerberos libraries decrypt kerberos tickets given that a keytab file containing the shared secrets is provided. This support is available for Linux/Unix. Windows support for this feature was added in 0.99.3. This feature also provides decryption of several protocols using GSS-API and Kerberos such as LDAP and DCE/RPC but decryption of those protocols only work if arcfour encryption is used.

How to Create Keytab File

Various utilities can be used to create a keytab file on various OSes.

ktutil

Both MIT and Heimdal Kerberos provide a tool called ktutil. It can be used to create a keytab file if you already know the principal's password or Kerberos key.

Example. The follow ingcommands create a keytab file for a user in a Windows domain if you know the password. Here the MIT version of ktutil is used.

>ktutil
ktutil: addent -password -p username/domain.com@DOMAIN.COM -k <kvno> -e rc4-hmac
ktutil: wkt ./keytab.file
ktutil: quit

Please use the latest version of MIT or Heimdal Kerberos if you want to create an RC4 key. RC4 is used in Windows by default.

ktpass.exe

A tool from Windows 2003 support tools, called ktpass.exe, can also create a keytab file. Please note that only the latest version from the Windows 2003 SP1 support tools supports RC4 keys. The below is an sample ktpass.exe command line dialog for exporting a computer account principal (note that resetting the password on a computer account of a machine joined to the domain could be bad - use ktexport.exe instead).

C:\temp> ktpass /out quark.keytab /mapuser quark$@FOO.NET /princ cifs/quark.foo.net@FOO.NET /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
Targeting domain controller: dc1.foo.net
Using legacy password setting method
Successfully mapped cifs/quark.foo.net to quark$.
WARNING: Account quark$ is not a user account (uacflags=0x1021).
WARNING: Resetting quark$'s password may cause authentication problems if quark$ is being used as a server.

Reset quark$'s password [y/n]?  y
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to quark.keytab:
Keytab version: 0x502
keysize 64 cifs/quark.foo.net@FOO.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 3 
etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)

ktexport.exe

The ktexport utility may be used to dump all RC4 keys on a Windows domain controller to a keytab file. This method may be superior to using ktpass.exe because it does not reset passwords. The ktexport package is just a modification of the pwdump2 program from bindview.com. Simply run ktexport.exe on the target domain controller. A sam.keytab file will be generated in the current directory. Unfortunately, aside from the RC4 keys, most of the other data in the keytab is WRONG. However, it turns out that Wireshark doesn't care. So the generated sam.keytab can be used with Wireshark to decrypt Kerberos tickets. Note that the ktexport.exe program will not run over Remote Desktop or similar but see REAME.ktexport for a workaround.

NTDSXtract

The NTDSXtract framework may be used to dump all Kerberos keys on a Windows Domain Controller to a keytab file. This method does not reset passwords and does not modify anything on Domain Controller. Unfortunately, aside from the Kerberos keys, most of the other data in the keytab is WRONG. However, it turns out that Wireshark doesn't care. See release notes in NTDSXtract distribution for further details.

To dump Kerberos keys follow the steps:

Specifying the keytab file to use

You can specify the filename of the keytab file to use in the KRB5 preferences (main menu, Edit menu, Preferences menu item, in the left tree of Preferences dialog expand Protocols, select KRB5 protocol, on the right panel specify Kerberos keytab file). You can also specify the keytab file(s) to load on the command line using the -K <keytab> option. You can use this option multiple times to load multiple keytab files.

Note, there is a bug in the windows version of kerberos decryption handling keytab files. In windows you can only specify a filename and not a full path. This means that you must store the keytab file in the same directory as where your capture file is stored (which becomes the current working directory for wireshark) and then you specify just the keytab filename without the path. This bug does applies to Wireshark version 1.10.3. It must have been fixed.

Note, only 32-bit Windows version of Wireshark decrypts Kerberos traffic. 64-bit Windows version is compiled without Kerberos support. Open Wireshark About Dialog. In 64-bit version you'll see "Compiled (64-bit) ... without Kerberos ..." At the time of writing Wireshark version was 1.10.3.

Preference Settings

Example capture file

SampleCaptures/krb-816.zip Zip archive containing Kerberos traffic capture and keytab file.

SampleCaptures/kerberos-Delegation.zip An example of Kerberos Delegation in Windows Active Directory. Keytab file is also included. Please use Wireshark 0.10.14 SVN 17272 or above to open the trace.

SampleCaptures/constained-delegation.zip An example of Kerberos constrained delegation (s4U2Proxy) in Windows 2003 domain.

Display Filter

A complete list of Kerberos display filter fields can be found in the display filter reference

Capture Filter

You cannot directly filter Kerberos protocols while capturing. However, if you know the port used (see above), you can filter on that one.

Obsolete:

Discussion

Kerberos (last edited 2013-11-03 06:51:16 by SergeyKubasov)