Presentation about Active Directory network protocols (including Kerberos V)

[Jean-Baptiste Marchand]

Hello,

I've recently realized that I did not announce here the presentation I
gave back in september about Active Directory network protocols and
traffic and thought it might interest people on this list:

http://www.hsc.fr/presentations/ad_proto_traffic/

The goal of the presentation was to explain, looking at the network
traffic typically found in Active Directory domains, how Active
Directory relies on network protocols such as LDAP, Kerberos V,
SMB/CIFS, DNS and NTP.

Slides 27 to 35 deal with Kerberos, as used in Active Directory domains.

Slide 35 is a screenshot of the Kerberos ticket decryption feature of
ethereal (http://www.ethereal.com), that was added by Ronnie Sahlberg
nearly one year ago (currently only available on Unix systems with
Heimdal).

Provided you have a keytab file with the appropriate keys, you can
decrypt tickets, including the Microsoft PAC included in both TGT and
service tickets.

This feature is very useful for debugging and teaching how Kerberos
works :-)

I recently discovered another interesting tool, ticketviewer, that can
be used to look at the LSA Kerberos tickets cache, to display *all*
delivered tickets by a Windows KDC:

http://www.toolcrypt.org/tools/ticketviewer

This tool must be launched from a LOCALSYSTEM shell, you can for
instance run the following command as administrator to start
ticketviewer as LOCALSYSTEM and see all delivered tickets:

C:\>psexec -s -i ticketviewer.exe 

where psexec is one of the tool found in the Pstools suite, freely
available on the Sysinternals website:

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

I'll be glad to hear comments or suggestions you may have about the
presentation.

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand at hsc.fr
HSC - http://www.hsc.fr/