More Kerberos fun with PAC’s- decrypt the PAC


I had been meaning to blog about this for a while, and recently was teaching a class when a friend of mine looked into the exact steps and issues – thanks Woody.


It may be interesting to peek into the PAC every once in a while and make sure everything is OK. Yaknow – like a long lost cousin. See http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx  for more info on PAC data


This is good for labs – not so much for production. But here goes.


It’s laid out here: http://wiki.wireshark.org/Kerberos



1. Download the ktexport utility – http://www.ioplex.com/utilities/



2. Run it on your DC against LSASS.EXE’s PID



3. C:\TEMP\ktexport.exe 376


4. It will create a file called sam.keytab


5. Create a directory called c:\temp


6. Copy sam.keytab to c:\temp.


7. Copy the wireshark trace to c:\temp


8. Open the trace in wireshark


Go to Edit -> Preferences:


clip_image002


Enabled the ability to decrypt the blobs.


Specify the sam.keytab file – no path info as it does not seem to like it. ( for example c:\temp\sam.keytab does NOT work )


clip_image004


Now – I have found I need to restart Wireshark sometimes, but check your kerb data – like an AS_REP packet and you should see:


  AuthorizationData AD-IF-RELEVANT


                        Type: AD-IF-RELEVANT (1)


                        Data: 308202D2308202CEA00402020080A18202C4048202C00400…


                            IF_RELEVANT AD-Win2k-PAC


                                Type: AD-Win2k-PAC (128)


                                Data: 040000000000000001000000300200004800000000000000…


                                    Num Entries: 4


                                    Version: 0


                                    Type: Logon Info (1)


                                        Size: 560


                                        Offset: 72


                                      PAC_LOGON_INFO: 01100800CCCCCCCC200200000000000000000200C0C1160B…


                                            unknown MIDL blob


                                                Unknown: 0x00081001


                                                Unknown: 0xcccccccc


                                                Blob Length: 544


                                                Unknown: 0x00000000


                                            PAC_LOGON_INFO:


                                                Referent ID: 0x00020000


                                                Logon Time: Mar 25, 2009 16:25:54.415046400


                                                Logoff Time: Infinity (absolute time)


                                                Kickoff Time: Infinity (absolute time)


                                                PWD Last Set: Mar 18, 2009 12:31:33.473204800


                                                PWD Can Change: Mar 19, 2009 12:31:33.473204800


                                                PWD Must Change: Apr 30, 2009 11:19:05.216948800


                                                Acct Name: shannon


                                                    Length: 14


                                                    Size: 14


                                                    Character Array: shannon


                                                        Referent ID: 0x00020004


                                                        Max Count: 7


                                                        Offset: 0


                                                        Actual Count: 7


                                                        Acct Name: shannon


                                                Full Name: shannon


                                                    Length: 14


                                                    Size: 14


                                                    Character Array: shannon


                                                        Referent ID: 0x00020008


                                                        Max Count: 7


                                                        Offset: 0


                                                        Actual Count: 7


                                                        Full Name: shannon


                                                Logon Script


                                                    Length: 0


                                                    Size: 0


                                                    Character Array


                                                        Referent ID: 0x0002000c


                                                        Max Count: 0


                                                        Offset: 0


                                                        Actual Count: 0


                                                Profile Path


                                                    Length: 0


                                                    Size: 0


                                                    Character Array


                                                        Referent ID: 0x00020010


 


Have fun!


Spat


 


 


OK so some folks have let me know that Ktexport crashes LSASS.EXE – obviously no fun.


So here is what I tested:


I installed WindowsServer2003-KB843071-x86-enu.exe from “Ktpass.exe may not create a Kerberos keytab file successfully when you use the /target switch and the /mapuser switch on a Windows Server 2003-based computer or on a Windows 2000-based computer”




  • In this case the user’s UPN is Shannon@mil


  • The users samAccountName is  Shannon


  • The users password is Password.


  • The users domain is request132027.local

I ran the following:

 


C:\TEMP>ktpass.exe /out shannon.keytab /princ shannon@MIL /crypto RC4-HMAC /pass Password /ptype KRB5_NT_PRINCIPAL


Key created.


Output keytab to shannon.keytab:


Keytab version: 0x502


keysize 45 shannon@MIL ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x76756bad6a045177f68d583c1152e3c5)

I used this keytab in wireshark:


clip_image002[1]


Seemed to work out OK.  If you were doing it for a machine it would not work since you don’t know the machine password .. I have not tried setting the password etc..


spat



 


 


 

Comments (5)

  1. Dom Williams says:

    Any known issues with running ktexport on VMs? Specifically, VMWare? Every time I run it, lsass crashes forcing a reboot.

  2. SpatDSG says:

    Quite possibly.. I have added info on how to do it with KTPASS – assuming you know the users password.  BTW Dom – do you know Tad?

    spat

  3. Dom Williams says:

    Thanks for the additional info. Yeah, I know Tad; we recently just helped each other overcome a few IAG issues.

    FYI, we have narrowed down the ktexport problems; the ONLY time it worked successfully was on a Win2003 DC (NOT R2). The fact that all of the DCs we tried it on were VMs ended up being a red herring; we tried on several different patch levels before we realized what was up.

    Thanks!

    -Dom

  4. richpec says:

    Ha!  I just saw this blog.  You’re welcome.  😉  Thanks for blogging it!  🙂

  5. chrisbeams says:

    hi there – the area in the gui doesnt exist anymore and i cant get the command line to work – any ideas ?