Join Log in
Score:0
vudex avatar Server

Failing to decrypt kerberos AP_REP with wireshark

dm flag
vudex

I'm trying to decrypt kerberos traffic with wireshark for the learning purposes. My process of following:

  1. First I retrive keytab for the test user with kadmin
kadmin.local:  ktadd -k vdzh-fin.keytab [email protected]
Entry for principal [email protected] with kvno 15, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal [email protected] with kvno 15, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal [email protected] with kvno 15, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal [email protected] with kvno 15, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal [email protected] with kvno 15, encryption type camellia128-cts-cmac added to keytab WRFILE:vdzh-fin.keytab.
Entry for principal [email protected] with kvno 15, encryption type camellia256-cts-cmac added to keytab WRFILE:vdzh-fin.keytab.
kadmin.local:  get_principal vdzharkov
Principal: [email protected]
Expiration date: [never]
Last password change: Thu Apr 06 22:45:50 +10 2023
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Apr 06 22:45:50 +10 2023 (vdzharkov/[email protected])

kadmin.local:  get_principal vdzharkov
Principal: [email protected]
Expiration date: [never]
Last password change: Thu Apr 06 22:45:50 +10 2023
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Apr 06 22:45:50 +10 2023 (vdzharkov/[email protected])
Last successful authentication: [never]
Last failed authentication: Thu Apr 06 22:47:23 +10 2023
Failed password attempts: 0
Number of keys: 6
Key: vno 15, aes256-cts-hmac-sha1-96
Key: vno 15, aes128-cts-hmac-sha1-96
Key: vno 15, aes128-cts-hmac-sha256-128
Key: vno 15, aes256-cts-hmac-sha384-192
Key: vno 15, camellia128-cts-cmac
Key: vno 15, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH

I guess it randomizes keys in keytab and incrementing kvno, but then, I'm authenticating with this keytab.

In second tab I'm starting tcpdump:

vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ sudo tcpdump host 192.168.5.19 -w fin.pcap

Then I authenticate:

vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ kdestroy -A
vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ kinit -kt vdzh-fin.keytab vdzharkov

After that I'm trying to decrypt the enc-part of the AS_REP, but to no success:

vdzharkov@dell-ku:~/work/logs/ipa_krb_tests$ tshark -r fin.pcap -K vdzh-fin.keytab -w finout.pcap

Kerberos
    Record Mark: 1770 bytes
    as-rep
        pvno: 5
        msg-type: krb-as-rep (11)
        crealm: VDZHARKOV.NOVALOCAL
        cname
        ticket
        enc-part
            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
            cipher: 48763e28028495b2099f5ea12559a35e4d0e2fe77026db4c8bf1f5772ba388198294cdb1…
    Missing keytype 18 usage 2 missing in frame 16 keytype 18 (id=missing.1 same=0) (00000000...)
    Missing keytype 18 usage 3 missing in frame 16 keytype 18 (id=missing.2 same=0) (00000000...)

I also tried the same via wireshark gui with Preferences -> Protocols -> KRB5, then checked all options and supplied the keytab file, but to no effect.

Versions:
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Funnily enough I can decrypt the TGT with krbtgt principal keytab:

as-rep
    pvno: 5
    msg-type: krb-as-rep (11)
    crealm: VDZHARKOV.NOVALOCAL
    cname
    ticket
        tkt-vno: 5
        realm: VDZHARKOV.NOVALOCAL
        sname
        enc-part
            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
            kvno: 5
            cipher: 10cc6398a0b5131703c525077d36e4149524d224630ae49d30d21ff02db8654b1ce12091…
                Decrypted keytype 18 usage 2 using keytab principal krbtgt/[email protected] (id=keytab.7 same=0) (26a828a4...)
                encTicketPart
                    Padding: 0
                    flags: 40610000
                    key
                        Learnt encTicketPart_key keytype 18 (id=16.1) (a403a03e...)
                        keytype: 18
                        keyvalue: a403a03e56fc3a3c1b358dd1879fab436f34917a444ec3b2490e50cb40d660f9
                    crealm: VDZHARKOV.NOVALOCAL
                    cname
                    transited
                    authtime: 2023-04-06 12:49:34 (UTC)
                    endtime: 2023-04-07 12:21:55 (UTC)
                    authorization-data: 3 items
    enc-part
        etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
        cipher: 48763e28028495b2099f5ea12559a35e4d0e2fe77026db4c8bf1f5772ba388198294cdb1…

So I have two questions:

  1. Am I doing something wrong?
  2. Maybe there are some library alternatives to try to decrypt kerberos encrypted blobs captured with wireshark?
146
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.