Using Wireshark with a keytab to decrypt encrypted traffic
You only need to do that once:
- Open Wireshark
- Goto: Preferences -> Protocols -> KRB5
- Select: Try to decrypt encrypted Kerberos blobs
The easiest way, on a unix-like system is to run
wireshark -K <PATH TO KEYTAB> <PCAP FILE>
Note: Wireshark for 64-bit Windows (GUI or command-line) doesn't like the -K flag, run the 32-bit Windows version instead.
The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path
How to extract the keytab?
Decrypted AES DCE/RPC
To do this, you will need metze's wireshark branch, and his patched verison of MIT Kerberos
Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to MIT Kerberos 1.6, and set LD_LIBRARY_PATH to wherever you put the result.