Kerberos support in Ethereal. Request for help

Ronnie Sahlberg ronnie_sahlberg at ozemail.com.au
Sat Feb 28 16:55:07 EST 2004 

Hi list.

I am adding support, given that the keytab file can be provided, to ethereal
to decrypt and dissect the
encrypted parts of kerberos.
It currently can read keytab files and decrypt Tickets as well as pick up
session keys from the Ticket
to decrypt the stuff inside  AP-REQ and AP-REP packets.
Other encrypted blobs are semitrivial to add code for and will be added when
I aquire more example captures.
Enough about that.  Here is my request:
The code to do this is currently not in CVS of ethereal but is distributed
and tested as a patch outside of CVS.
I expect it to be in CVS within a week, as soon as the required automake
magic has been added to ethereal.


Currently the code works with Heimdal and the ethereal dissector interfaces
with Heimdal through a ~150-200 line small
midlayer.
I also want the code to support MIT Kerberos through a similar small
midlayer  so that the user can get this functionality to work
regardless of his/her preference in what kerberos implementation he/she
might already have installed.
(i.e. i dont want to force policy on what kerberos implementation to use
down on the user)





Below is a teaser: part of a packet print output from the heimdalified
version of ethereal dissecting a decrypted ticket:
Now let ehtereal also do this by calling the mit kerberos libraries.
>            Encryption type: des3-cbc-sha1 (16)
>            Kvno: 4
>            enc-part: 5BEA8C3B81034F487B747DA03CB6DEBE...
>                EncTicketPart
>                    Ticket Flags 0x00080000 Transited-Policy-Checked
>                    EncryptionKey des-cbc-crc
>                        Key type: des-cbc-crc (1)
>                        Key value: 2AF8B3256D108FF1
>                    Client Realm: CORE.UML
>                    Client Name  (Principal): ronnie
>                    TransitedEncoding DOMAIN-X500-COMPRESS
>                    Authtime: 2004-02-02 06:36:32 (Z)
>                    Start time: 2004-02-02 06:36:44 (Z)
>                    End time: 2004-02-02 16:36:32 (Z)
>                    HostAddresses  10.1.1.28



Anyone interested to help out?

What I need is a small example on reading a keytab file and calling the
decryption routines:
After that I will do the rest.


As an example, this is what I got from Heimdal people:
: lha at nutcracker ; make
gcc -Wall -o decrypt decrypt.c `krb5-config --cflags` `krb5-config --libs`
: lha at nutcracker ; ./decrypt krb5.keytab e out
host/curie at CORE.UML
: lha at nutcracker ; asn1_print out
APPL CONS tag 3 = 155 bytes [3]
  UNIV CONS Sequence = 152 bytes {
    CONTEXT CONS tag 0 = 7 bytes [0]
      UNIV PRIM BitString = 5 bytes
    CONTEXT CONS tag 1 = 19 bytes [1]
      UNIV CONS Sequence = 17 bytes {
        CONTEXT CONS tag 0 = 3 bytes [0]
          UNIV PRIM Integer = integer 1
        CONTEXT CONS tag 1 = 10 bytes [1]
          UNIV PRIM OctetString = (length 8),
2af8b3256d108ff10000000000000000
      }
    CONTEXT CONS tag 2 = 10 bytes [2]
      UNIV PRIM GeneralString = "CORE.UML"
    CONTEXT CONS tag 3 = 19 bytes [3]
      UNIV CONS Sequence = 17 bytes {
        CONTEXT CONS tag 0 = 3 bytes [0]
          UNIV PRIM Integer = integer 1
        CONTEXT CONS tag 1 = 10 bytes [1]
          UNIV CONS Sequence = 8 bytes {
            UNIV PRIM GeneralString = "ronnie"
          }
      }
    CONTEXT CONS tag 4 = 11 bytes [4]
      UNIV CONS Sequence = 9 bytes {
        CONTEXT CONS tag 0 = 3 bytes [0]
          UNIV PRIM Integer = integer 1
        CONTEXT CONS tag 1 = 2 bytes [1]
          UNIV PRIM OctetString = (length 0),
726f6e6e6965004c0000000000000000
      }
    CONTEXT CONS tag 5 = 17 bytes [5]
      UNIV PRIM GeneralizedTime = "20040202063632Z"
    CONTEXT CONS tag 6 = 17 bytes [6]
      UNIV PRIM GeneralizedTime = "20040202063644Z"
    CONTEXT CONS tag 7 = 17 bytes [7]
      UNIV PRIM GeneralizedTime = "20040202163632Z"
    CONTEXT CONS tag 9 = 17 bytes [9]
      UNIV CONS Sequence = 15 bytes {
        UNIV CONS Sequence = 13 bytes {
          CONTEXT CONS tag 0 = 3 bytes [0]
            UNIV PRIM Integer = integer 2
          CONTEXT CONS tag 1 = 6 bytes [1]
            UNIV PRIM OctetString = (length 4),
0a01011c303230323136333633325a00
        }
      }
  }
UNIV PRIM (null) = 0 bytes

Attached is the source code and keytab file and capture file and encrypted
blob:  (it is a tar.gz archive)

If someone is interested and would like ethereal to be able to use MIT
kerberos to do this, please feel encouraged
to help me out and rewrite decrypt.c so that it calls MIT kerberos instead
of heimdal.
(the file e contains an encrypted blob from, i belive packet 4)


I.e can someone rewrite decrypt.c in the archive to call mit kerberos
libraries instead of the heimdal ones?
(also please specify how to detect the precence of mit kerberos, how to find
out what to set -I and -L and -l to in the makefile so that automake
can detect and automagically generate proper makefiles)



best regards
    ronnie sahlberg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decrypt.tar.gz.tar
Type: application/x-tar
Size: 1752 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20040229/542ec4e6/attachment.tar

More information about the Kerberos mailing list