Forked from raandree/Get-KerberosKeytab.ps1
Created February 14, 2019 21:50
Parses Kerberos Keytab files
#Created by [email protected]
#Got keytab structure from
# keytab {
# uint16_t file_format_version; /* 0x502 */
# keytab_entry entries[*];
# };
# keytab_entry {
# int32_t size;
# uint16_t num_components; /* sub 1 if version 0x501 */
# counted_octet_string realm;
# counted_octet_string components[num_components];
# uint32_t name_type; /* not present if version 0x501 */
# uint32_t timestamp;
# uint8_t vno8;
# keyblock key;
# uint32_t vno; /* only present if >= 4 bytes left in entry */
# };
# counted_octet_string {
# uint16_t length;
# uint8_t data[length];
# };
# keyblock {
# uint16_t type;
# counted_octet_string;
# };
#$keytabefile = "C:\Users\piaudonn\Documents\Kerberos\816.keytab"
#Convert the file to an array of bytes
[byte[]]$keytab = Get-Content -Path $Path -Encoding Byte
#We are going to read the "stream" byte per byte... Old school mama
$script:offset = 0 #We use this to keep track where we are in the file
$script:keytabStream = [byte[]]$keytab
#Need to know how many bytes in total to manage situation with padding
$keytabStreamLenght = $script:keytabStream.Count
#Keytabs can have multiple entries (although ktpass can't do that, other utility might)
$nbEntry = 0
#Got the list from the Netmon parser
$encType = @{
1 = 'des-cbc-crc'
2 = 'des-cbc-md4'
3 = 'des-cbc-md5'
4 = '[reserved]'
5 = 'des3-cbc-md5'
6 = '[reserved]'
7 = 'des3-cbc-sha1'
9 = 'dsaWithSHA1-CmsOID'
10 = 'md5WithRSAEncryption-CmsOID'
11 = 'sha1WithRSAEncryption-CmsOID'
12 = 'rc2CBC-EnvOID'
13 = 'rsaEncryption-EnvOID'
14 = 'rsaES-OAEP-ENV-OID'
15 = 'des-ede3-cbc-Env-OID'
16 = 'des3-cbc-sha1-kd'
17 = 'aes128-cts-hmac-sha1-96'
18 = 'aes256-cts-hmac-sha1-96'
23 = 'rc4-hmac'
24 = 'rc4-hmac-exp'
65 = 'subkey-keymaterial'
$nameTypes = @{
3 = 'NT-SRV-HST'
5 = 'NT-UID'
#The big crappy function reading bytes and updating the pointer
function ReadKeytab
[int]$_size = 0
$_string = ''
switch ($_type) {
#Little endian...
$_size = 1
$_value = $script:keytabStream[$script:offset]
#Little endian...
$_size = 2
$_value = [System.BitConverter]::ToUInt16( $script:keytabStream[($script:offset+1)..($script:offset)] , 0)
#Little endian...
$_size = 4
$_value = [System.BitConverter]::ToInt32( $script:keytabStream[($script:offset+3)..($script:offset)] , 0)
#Little endian...
$_size = 4
$_value = [System.BitConverter]::ToUInt32( $script:keytabStream[($script:offset+3)..($script:offset)] , 0)
#Little endian...
$_data = ''
$_value = 0
$_bytes = [System.BitConverter]::ToString($script:keytabStream[($script:offset)..($script:offset+$_size-1)])
$_string = $_bytes
#Little endian...
$_data = ''
$_value = 0
$_bytes = $script:keytabStream[($script:offset)..($script:offset+$_size-1)] | ForEach-Object -Process {
$_data += [char] $_
$_string = $_data
$script:offset = $script:offset + $_size
$_hex_size = $_size * 2
$_return = New-Object -TypeName psobject -Property @{
_value = $_value
_size = $_size
_hex = ( "0x{0:X$_hex_size}" -f $_value )
_string = $_string
return $_return
#File Format Version
Write-Output -InputObject "Version header: $((ReadKeytab 'UInt16')._hex)"
#Parse each entry
$entryentrypoint = $script:offset
Write-Output -InputObject "Entry id: $nbEntry"
$entrysize = [int] (ReadKeytab 'Int32')._value
Write-Output -InputObject "`tEntry size: $entrysize bytes"
#Nb Component
$nbcomponent = (ReadKeytab 'UInt16')._value + 1
for ($i = 0; $i -le $nbcomponent-1; $i++)
[int] $nbchar = (ReadKeytab 'UInt16')._value
Write-Output -InputObject "`tComponent $($i): $((ReadKeytab 'String' ($nbchar))._string)"
Write-Output -InputObject "`tName type: $($nameTypes[ [int] (ReadKeytab 'UInt32')._value ])"
Write-Output -InputObject "`tTimestamp: $((ReadKeytab 'UInt32')._hex)"
Write-Output -InputObject "`tKvno: $((ReadKeytab 'UInt8')._value)"
Write-Output -InputObject "`tKeyblock"
Write-Output -InputObject "`t`tEncryption type: $($encType[ [int] (ReadKeytab 'UInt16')._value ])"
[int] $nbchar = (ReadKeytab 'UInt16')._value
Write-Output -InputObject "`t`tKey: $((ReadKeytab 'Key' ($nbchar))._string)"
$entryexitoffset = $script:offset
if ( ( $entryexitoffset - $entryentrypoint ) -le ($entrysize - 4) )
Write-Output -InputObject "`tvno: $((ReadKeytab 'UInt32')._value)"
until ($script:offset -ge $keytabStreamLenght )
