[36731] in Kerberos
RE: NT hashes in krb5
daemon@ATHENA.MIT.EDU (Zaid Arafeh)
Tue Jan 20 07:44:37 2015
Message-ID: <BLU403-EAS922BFFACACAA0853B52656C04B0@phx.gbl>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
From: Zaid Arafeh <zarafeh@live.com>
Date: Tue, 20 Jan 2015 00:08:15 -0500
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Greg and all,
I have the krbtgt password now.. I reset the password and using a manually entered one (beauty of a lab)
I want to create a a TGT in ASN1 format. I have a tool that creates custom tickets for Windows (metasploit), it takes three parameters
1- rc4 hash of krbtgt password
2- domain SID, or security identifier
3- principal name
My questions are
1- are there structural differences between MS tickets and MIT tickets? I tried putting a windows Kerberos ticket in /tmp/ after renaming it and got a format error when I ran klist
2- by putting the ticket in the client's /tmp/ am I properly injecting it in cache?
3- If there are differences in asn.1 formatting, what's the best way to modify the ticket to ensure compatibility
4- is it trivial to create a Kerberos ticket from scratch, given that i have all principle secrets?
Thanks!
________________________________
From: Greg Hudson<mailto:ghudson@mit.edu>
Sent: 19/01/2015 01:17 PM
To: zarafeh@live.com<mailto:zarafeh@live.com>; kerberos@mit.edu<mailto:kerberos@mit.edu>
Subject: Re: NT hashes in krb5
On 01/19/2015 02:24 AM, Zaid Arafeh wrote:
> If I have the K/M key (which is in the database) and I have the password
> for the master key, would that make extracting hashes from the database
> easier?
It is possible but not convenient; you would have to write code to do
the decryption.
> I looked at the keytab file (thnx) , unfortunately keytab files usually
> don't store the krbtgt key (which is what I am looking for )
Nothing stops you from extracting a krbtgt key to a keytab. It is true
that people do not usually store krbtgt keys in keytabs--but krbtgt keys
are also not normally NT hashes; they are normally random and do not
correspond to any password.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
