[36506] in Kerberos
Re: Kerberos5 ticket to ascii converter?
daemon@ATHENA.MIT.EDU (ronnie sahlberg)
Tue Sep 30 15:02:36 2014
MIME-Version: 1.0
In-Reply-To: <CA+j=ERq9zkELNHE88f4fMVXpUr4SJagGE4keno0NOWB2HVjJbw@mail.gmail.com>
Date: Tue, 30 Sep 2014 12:02:22 -0700
Message-ID: <CAN05THQAA3sLp_dP=_fJw6D9-NRPcvHGjgwmoU6+3XdYrtpbEQ@mail.gmail.com>
From: ronnie sahlberg <ronniesahlberg@gmail.com>
To: Wendy Lin <wendlin1974@gmail.com>
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Tue, Sep 30, 2014 at 11:56 AM, Wendy Lin <wendlin1974@gmail.com> wrote:
> On 30 September 2014 18:32, ronnie sahlberg <ronniesahlberg@gmail.com> wrote:
>> On Tue, Sep 30, 2014 at 9:17 AM, Wendy Lin <wendlin1974@gmail.com> wrote:
>>> On 30 September 2014 17:55, ronnie sahlberg <ronniesahlberg@gmail.com> wrote:
>>>> On Tue, Sep 30, 2014 at 8:25 AM, Wendy Lin <wendlin1974@gmail.com> wrote:
>>>>> On 30 September 2014 15:25, Rick van Rein <rick@openfortress.nl> wrote:
>>>>>> Hi,
>>>>>>
>>>>>>>>> Does Kerberos5 have a ticket to ascii converter so someone can see
>>>>>>>>> what a ticket looks like in plain text?
>>>>>>>>
>>>>>>>> You might use any ASN.1 parser to see the structure, without it actually being spelled out in terms of the Kerberos field names.
>>>>>>>
>>>>>>> Is the file format of the ticket cache in ASN.1?
>>>>>>
>>>>>> That would depend on its implementation.
>>>>>
>>>>> MIT kerberos 1.12, DIR: cache
>>>>>
>>>>>> You asked for tickets ;-) which are defined in ASN.1 in the RFCs. I think the WireShark suggestion is better than mine, but it won’t do what you are asking.
>>>>>
>>>>> Why?
>>>>
>>>> One reason is because most of the ticket are encrypted blobs. Without
>>>> decryption these blobs will just look like huge piles of random bytes,
>>>> so there is not really much interesting to see in the ticket.
>>>> If you want to look at the interesting parts of a ticket you really
>>>> want to decrypt these blobs.
>>>
>>> OK
>>>
>>> is there a C function in libkrb5 which takes a keytab and the data
>>> blob as parameter, and returns the decrypted data blob?
>>
>> In wireshark I use krb5_c_decrypt(). It takes a key, not a keytab, so
>> you may need to iterate over all keys in the keytab.
>>
>> See:
>> https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=asn1/kerberos/packet-kerberos-template.c;h=9eb82ab37f8d89ef57f691df656e063d8ad6c713;hb=HEAD#l400
>>
>> (We iterate over all the keys in wireshark and try them one by one
>> because it was easier than tracking SPN->key mappings.)
>>
>>
>
> What is a SPN?
ServicePrincipalName. I.e. user/service names in kerberos.
A real kerberos implementation would see that "This ticket is for the
user with the SPN == foo@realm and then it would read the keytab
file the find the encryption key that
matches that name.
I don't do that in wireshark, instead I just iterate over the whole
keytab file and try them one after the other until I, hopefully, find
one that could successfully decrypt the blob.
>>
>>
>>>
>>> Wendy
>
>
>
> Wendy
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
