4

I often use openssl s_client to test and debug SSL connections (to LDAPS or HTTPS services). It allows me to isolate the problem down to SSL, without anything getting in the way.

I want to do something similar with Kerberos. I would like to use a small test, which would show :

  1. The initial machine logon (the computer account)
  2. The initial AS request from the user requesting a service
  3. The kerberos exchange of the user getting a ticket
  4. (optional) the request being sent to the service

I can do steps 1, 2 and 3 if I run Wireshark on a KDC, but it is usually not an option. I can manage to capture steps 2, 3 and 4 if I monitor trafic on the client.

Is there tool that would allow me to capture the every Kerberos login steps starting with the computer account, without running Wireshark on the KDC ?

ixe013
  • 928
  • 2
  • 7
  • 25
  • I'm sorry but I don't understand what you expect to see in Wireshark if you don't actually send the request. – Ryan Ries Dec 14 '12 at 02:34
  • The exchange with the KDC – ixe013 Dec 14 '12 at 02:35
  • So run Wireshark. Purge your tickets. Reauthenticate. Stop your Wireshark trace. Profit. – Ryan Ries Dec 14 '12 at 02:38
  • I read the question as being about a tool to initiate an authentication from the command line. – rackandboneman Dec 14 '12 at 02:45
  • net stop netlogon & net start netlogon. That will do it. – Ryan Ries Dec 14 '12 at 02:52
  • As Ryan indicated, after you purge the tickets, as soon as you attempt to connect to any resource that requires authentication, a ticket sequence occurs. And the Kerberos parser in Wireshark is as good as it gets, its actually far superior to Microsoft Network Monitor. – Greg Askew Dec 14 '12 at 03:13

2 Answers2

4

I'll go ahead and submit my previous comments as an answer. I hope it's what the OP wanted.

As you already know, you can use klist.exe to purge your Kerberos tickets.

So fire up Wireshark and start a trace. Then purge your Kerberos tickets. Then in a command prompt, type net stop netlogon & net start netlogon. (Or do something like try to access a network file share.) That will cause the computer to request new Kerberos tickets from the KDC/Domain Controller. Now stop your Wireshark trace. You have successfully captured a network trace containing the interaction between domain member and domain controller.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • That is what I was looking for. It never occurred to me that I could restart the netlogon service. From server_A, I use `net view \\server_B` I get the trace I need. – ixe013 Dec 14 '12 at 04:00
2

Update: this answer is *nix specific and the question is about windows. Leaving it in for future reference, just in case.

You can use:

  • kdestroy to wipe out your old tickets
  • kinit to request a TGT
  • kvno to request a ticket for a service, e.g. kvno host/$(hostname -f)

Oh, and klist does not let you purge the cache. It shows what tickets you have obtained.

chutz
  • 7,569
  • 1
  • 28
  • 57
  • The question should be clearer, but the asker is talking about a Windows host (windows-server-2008 tag), not a Unix-like. Klist.exe certainly does allow you to purge the cache. – jgoldschrafe Dec 14 '12 at 04:40
  • Haha, sorry, didn't notice the tag. I thought something doesn't add up. – chutz Dec 14 '12 at 04:51
  • 1
    Also: prefix any of these commands with `KRB5_TRACE=/dev/stdout` to get a more detailed log – Markus Kuhn Feb 11 '20 at 10:54