NT hashes in krb5

Zaid Arafeh zarafeh at live.com
Sun Jan 18 20:10:46 EST 2015 

Hello folks,

Continuing on with my little project here, I have another question. my project is demonstrate a hash based attack for interoperability between Windows and Linux. (if anyone is interested in learning more we can have a conversation off-line so we don't flood the thread for everyone)

Here's the scenario. I am trying to get krb5 to use an NT hash. NT hash is merely the MD4 computation of the UTC-16LE of the password string (creates an RC4 key). I went ahead and configured the krb5.conf  and kdc.conf file to do so. here's the relevant part of the output of getprinc for a sample user called user01

Key: vno 7, aes256-cts-hmac-sha1-96, no salt
Key: vno 7, aes128-cts-hmac-sha1-96, no salt
Key: vno 7, des3-cbc-sha1, no salt
Key: vno 7, arcfour-hmac, no salt
Key: vno 7, camellia256-cts-cmac, no salt
Key: vno 7, camellia128-cts-cmac, no salt
Key: vno 7, des-hmac-sha1, no salt
Key: vno 7, des-cbc-md5, no salt
Key: vno 7, arcfour-hmac, Version 4
MKey: vno 1

Yet when I look at the database dump for this user, the output does not have any RC4 hashes. I am having a hard time understanding how the database is structure and how to extract the RC4 hash out of the database. Here's the dump (it's OK no secrets :) ). What's going on ?

kdb5_util load_dump version 7
princ    38    13    4    9    0    user01 at TR.LAB    0    86400    0    0    0    0    0    0    3    24    12345c010000000000000000000000000000000200000000    2    22    6e52bc547a6169642f61646d696e4054522e4c414200    8    2    0100    1    4    9d51bc54    1    7    18    62    200040ca06f69ec3eba54fd201d6708ff545149d16c717d819135fb0c2f1c6effab5b4eaa6db55587e6c3ab1aedb5a751b5b7d7e43af4b515d662ec15f09    1    7    17    46    1000ad590e445fc7b963f9ccab7406cb17605c47da2c39b5d7f9ba8fccea3530e9d27abcc64d7134a8af31bf849c    1    7    16    54    1800f3ca96a9e0bfb52a40f41da1197dd6fb543ce769ba205220a4c654cece5a5018b7178feeacd7eaa8610f1bf3d91e1e8dc753052a    1    7    23    46    10005073cf4396c6b9bc26c33dd28a928fb88569ad76699aaa5dfcd28d00aae268441389477e130e26e3fc86aa83    1    7    26    62    2000a259382f778327fc81a6cac1e26b7151c900fd6e5e0c5b9f0a15ad4aaf32d397cd328430de83706ec3c7d6caa90e06c5d1b8fd412f7b2757bf5484c5    1    7    25    46    1000cf332724dbd326348cf8bd4f640d14ca392fbb898eb4529cb5338b42f710b7a42e3ddee68d5459f4abb5cbda    1    7    8    38    08002f561ad30e78fffe79319aafa6f87ef2beb93545c7e9c476e7e5150f1da7ed059471a81a    1    7    3    38    0800d602ff8c2fc404838a2edce7580501116cf8f0e705a577a4a322f5bf80fc97342df86725    2    7    23    46    1000e006190a5eaf6279e30ad541279be4ab3f02332ad84e356487acc44b24131f28a0576d224eab74e5b5803320    1    0    -1    -1;

More information about the Kerberos mailing list