Wireshark Decryption: Difference between revisions

From SambaWiki
Line 18: Line 18:
The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path
The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path


To get the keytab, see [[Keytab_Extraction|How to extract a keytab from a windows domain with Samba]]
===How to extract the keytab?===

See: [[Keytab_Extraction|How to extract a keytab from a windows domain with Samba]]


==Decrypted AES DCE/RPC==
==Decrypted AES DCE/RPC==

Revision as of 15:47, 10 January 2018

Using Wireshark with a keytab to decrypt encrypted traffic

Prerequisite

You only need to do that once:

  • Open Wireshark
  • Goto: Preferences -> Protocols -> KRB5
  • Select: Try to decrypt encrypted Kerberos blobs

Basic decryption

The easiest way, on a unix-like system is to run

wireshark -K <PATH TO KEYTAB> <PCAP FILE>

Note: Wireshark for 64-bit Windows (GUI or command-line) doesn't like the -K flag, run the 32-bit Windows version instead.

The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path

How to extract the keytab?

See: How to extract a keytab from a windows domain with Samba

Decrypted AES DCE/RPC

To do this, you will need metze's wireshark branch, and his patched verison of MIT Kerberos

http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi git://git.samba.org/metze/wireshark/wip.git ws-metze-gssapi

Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to MIT Kerberos 1.6, and set LD_LIBRARY_PATH to wherever you put the result.