[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kerberos decryption and Ethereal, help requested

Hi List,

I couldnt find any archives to view but hope this is the correct mailing

First of all, I am not interested in contributing to Heimdal, heck Im not
very interested in Kerberos
to begin with but anyway.
I work with Ethereal, a free GPL packet analyzer used by, among others,
various protocol implementors.
It is also used a lot by people troubleshooting implementations and
analyzing traces.

I have looked for a while at adding support to ethereal to, given the keytab
files, open up the encrypted parts
of kerberos blobs.
This would help immensly for people trying to troubleshoot network traces
and also make life easier for those
working on reverse engineering various (cifs based) protocols that today are
all protected by kerberos authentication.

Fiorst a disclaimer. I see no security problem whatsoever in adding this to
a tool like Ethereal. It requires the person with the
sniffer to have access to the keytab files, and if a black hat has got the
keytab file then
1, it is game over anyway
2, the black hat probably have a lot more interesting things to do with the
keytab file than feeding it into a sniffer.

Well, I started looking at calling krb5_c_decrypt() in the MIT kerberos
libraries but came up with two problems:
1, mit kerberos is not really free
2, i couldnt get it to work anyway :-)

Do heimdal provide a simple to call function such as mit/jrb5_c_decrypt()
that is exported through a shared library?
Is anyone interested in helping me out to get the call working properly so i
can get it working and later feed into ethereal?

Attached is a small archive with a test proream i used but never got to get
working using mit kerberos.  krb5_c_decrypt() always returned the
error code for INTEGRITY_BAD which i assume means the hash didnt work out
properly, probably because i didnt set up the structs properly before
calling it.

The archive contains :
krb5.cap:  a capture file for kerberized telnet
encrypted.dat:  which is the encrypted blob in packet 2 in the trace above.
krb5.keytab: which is the keytab file
tst.c which is a small test app that is hardcoded to try to decode the blob
in encrypted.dat using encryption type 16 and the principal ronnie in the
realm CORE.UML

would anyone be interested in helping me get the test app working properly
with heimdal so i can start adding it to ethereal?

dont panic:  the keytab file was generated on a network purposely built from
scratch to generate a krb5 capture and a keytab file.
all the machines on this network have later been destroyed.

best regards
    ronnie sahlberg