Skip to main content
Version: 1.3.0

Kerberos Decode

Parse Security

Synopsis

Extracts and decodes Kerberos ticket information.

Schema

- kerberos_decode:
    field: <ident>
    target_field: <string>
    ticket_type: <string>
    extract_principals: <boolean>
    decode_times: <boolean>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

FieldRequiredDefaultDescription
fieldY-Source field containing Kerberos ticket data
target_fieldN{field}_decodedTarget field to store decoded ticket information
ticket_typeNautoTicket type: auto, tgt, service, renewal
extract_principalsNtrueExtract client and service principal names
decode_timesNtrueDecode ticket timestamps to readable format
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseContinue processing if decoding fails
ignore_missingNfalseSkip processing if referenced field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

Decodes Kerberos ticket data to extract authentication and authorization information. The processor can handle various Kerberos ticket types including Ticket Granting Tickets (TGT) and service tickets.

The decoded output includes principal names, ticket validity periods, encryption types, and ticket flags that indicate the ticket's capabilities and restrictions.

note

Kerberos tickets contain encoded authentication information including encrypted session keys, principal names, and validity timestamps. The processor extracts the readable portions without requiring decryption keys.

When extract_principals is enabled, the processor extracts and formats client and service principal names for easy identification of the authentication parties.

warning

Kerberos ticket parsing requires properly formatted ticket data. Corrupted or truncated tickets will cause the processor to fail unless ignore_failure is set to true.

Examples

Basic Ticket Decoding

Decoding Kerberos ticket structure...

{
  "krb_ticket": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
}
- kerberos_decode:
    field: krb_ticket
    target_field: ticket_info

extracts ticket information:

{
  "krb_ticket": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ...",
  "ticket_info": {
    "ticket_type": "service",
    "client_principal": "[email protected]",
    "service_principal": "HTTP/[email protected]",
    "realm": "DOMAIN.COM",
    "encryption_type": "aes256-cts-hmac-sha1-96",
    "ticket_flags": ["forwardable", "renewable"]
  }
}

With Time Decoding

Including ticket validity timestamps...

{
  "auth_ticket": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
}
- kerberos_decode:
    field: auth_ticket
    decode_times: true
    target_field: ticket_details

includes timestamp information:

{
  "auth_ticket": "YIIBqgYJKoZIhvcSAQI...",
  "ticket_details": {
    "client_principal": "[email protected]",
    "service_principal": "krbtgt/[email protected]",
    "auth_time": "2024-01-15T10:30:00Z",
    "start_time": "2024-01-15T10:30:00Z",
    "end_time": "2024-01-15T20:30:00Z",
    "renew_till": "2024-01-22T10:30:00Z"
  }
}

TGT Ticket Analysis

Analyzing Ticket Granting Ticket...

{
  "tgt_data": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
}
- kerberos_decode:
    field: tgt_data
    ticket_type: tgt
    target_field: tgt_info

identifies TGT-specific information:

{
  "tgt_data": "YIIBqgYJKoZIhvcSAQI...",
  "tgt_info": {
    "ticket_type": "tgt",
    "client_principal": "[email protected]",
    "service_principal": "krbtgt/[email protected]",
    "is_initial": true,
    "is_renewable": true,
    "renewable_until": "2024-01-22T10:30:00Z"
  }
}

Multiple Tickets

Processing array of ticket data...

{
  "ticket_cache": [
    "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ...",
    "MIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
  ]
}
- kerberos_decode:
    field: ticket_cache
    target_field: decoded_tickets

decodes each ticket:

{
  "ticket_cache": [...],
  "decoded_tickets": [
    {
      "ticket_type": "tgt",
      "client_principal": "[email protected]"
    },
    {
      "ticket_type": "service", 
      "service_principal": "HTTP/[email protected]"
    }
  ]
}