NT hashes in krb5

Benjamin Kaduk kaduk at MIT.EDU
Tue Jan 20 00:02:38 EST 2015

On Mon, 19 Jan 2015, Zaid Arafeh wrote:

> If I have the K/M key (which is in the database) and I have the password
> for the master key, would that make extracting hashes from the database
> easier? I looked at the keytab file (thnx) , unfortunately keytab files
> usually don't store the krbtgt key (which is what I am looking for )

The K/M *key* is not in the database; it is only in the stash file (if
extant) and derivable from the password for the master key.  You could in
principle perform the string2key operation on the master key password and
decrypt the relevant database entries, but that's quite a lot of work.

Greg was suggesting using kadmin.local on the KDC itself to create a
keytab for the purpose of your experiment -- it need not be (and probably
should not be) a keytab used for anything else.  If you are intersted in
the krbtgt key, you could do something like "kadmin.local -q 'ktadd
-norandkey -k /tmp/keytab krbtgt/REALM'" to extract a keytab containing
that key.

That said, the krbtgt key should be a random key, not a password-derived
one, so I don't understand how an NT hash would be involved with it.

-Ben Kaduk

More information about the Kerberos mailing list