Once you have captured packets you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.
How to Extract a keytab containing your domain's passwords
There are two ways to obtain a keytab from an Active Directory Domain with Samba:
To use samba4, it needs a copy of the domain database. If it is already a domain controller for your domain, then you don't need this next step.
Clone the DC:
samba-tool drs clone-dc-database --include-secrets --targetdir=/tmp/foo <REALM> --server=<SERVER> -U<USER> samba-tool domain exportkeytab PATH_TO_KEYTAB --configfile=/tmp/foo/etc/smb.conf
If you don't have the `samba-tool drs clone-dc-database` command, then your Samba version is not new enough and you will need to join the domain. See how to join Samba4 as domain controller, then run
samba-tool domain exportkeytab PATH_TO_KEYTAB
It will write out a keytab in PATH_TO_KEYTAB containing the current keys for every host and user.
To dump a keytab, join the domain and then run:
net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights
Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username
Online Keytab Creation from Machine Account Password
In a field deployment on a domain with 100K+ accounts, extracting all password is not feasible due to policy and scale issues. What if you just want to decrypt packet captures made by a member server, encrypted by its machine account password (or keys derived from that password)? The following command on the member server will get you the keytab:
KRB5_KTNAME=FILE:/path/to/file.keytab net ads keytab CREATE -P
Offline Keytab Creation from Secrets.tdb
If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine.
Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero. Use the ktutil utility to construct the keytab:
ktutil: add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes256-cts-hmac-sha1-96 -k 1 Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>: ktutil: add_entry -password -p host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> -e aes128-cts-hmac-sha1-96 -k 1 Password for host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN>: ktutil: write_kt my.keytab ktutil: q
A less cumbersome way, using a Windows server is:
ktpass /out my.keytab /pass <password> /princ host/<server-name>.<domain-fqdn>@<DOMAIN-FQDN> /ptype KRB5_NT_SRV_INST /crypto all