keytab file format - exporting arcfour keys from active directory

Marcus Watts mdw at umich.edu
Mon May 1 15:05:19 EDT 2006


> Date: Mon, 1 May 2006 14:47:06 -0400
> From: Michael B Allen <mba2000 at ioplex.com>
> To: kerberos at mit.edu
> Subject: keytab file format - exporting arcfour keys from active directory
> 
> Hi,
> 
> Is there any documentation on the keytab file format? From scanning
> the code the rules are not clear and leaves me wanting of definitive
> documentation.
> 
> I want to write an encoder (and I suppose decoder) in plain C for
> inclusion in the pwdump2 [1] program for exporting Kerberos keys from a
> MS Windows domain controller. This would be largely for debugging purposes
> (e.g. for Ethereal to decrypt things).
> 
> If someone would be kind enough to provide me with the details I
> will furnish a web page with the modified program, source code, and
> documentation.
> 
> Thanks,
> Mike


Following is a comment I left myself when I was doing a similar exercise.
General format:
	offset length purpose
VNO = 2 means "new version"; likely to be always true.
Caveat: this isn't guaranteed to be even vaguely accurate or even
particularly understandable.  This will probably make more sense if
you go through several keytab dumps by hand and decode them.
Also: beware keytype -- it may matter that that should be a 16-bit *signed* int.

/*
 *
 * keytab format:
 *
 * head:
 * 0 1  5
 * 1 1  VNO 1 or 2
 * per entry:
 * 0 4  len (excludes len)
 * 4 2  count of princ components (pc)
 * 6 2  length realm (rl)
 * 8 rl realm
 * REP *pc {
 *      0 2 length nl
 *      2 nl name-component
 * }
 * IF new? {
 * xxx 4        name-type
 * }
 * xxx 4        timestamp
 * xxx 1        vno
 * {
 * 0 2  keytype
 * 2 2  keylen
 * 4 keylen     keydata
 * }
 * POSSIBLE if length left {
 * xxx 4        vno
 * }
 */

					-Marcus Watts



More information about the Kerberos mailing list