Revision as of 15:44, 10 January 2018

Using Wireshark with a keytab to decrypt encrypted traffic

The easiest way, on a unix-like system is to run

wireshark -K <PATH TO KEYTAB> <PCAP FILE>

Note: Wireshark for 64-bit Windows (GUI or command-line) doesn't like the -K flag, run the 32-bit Windows version instead.

The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path

To do this, you will need metze's wireshark branch, and his patched verison of MIT Kerberos

Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to MIT Kerberos 1.6, and set LD_LIBRARY_PATH to wherever you put the result.

@@ Line 1: / Line 1: @@
 =Using Wireshark with a keytab to decrypt encrypted traffic=
+==Prerequisite==
+* Open Wireshark
+* Goto: Preferences -> Protocols -> KRB5
+* Select: Try to decrypt encrypted Kerberos blobs
 ==Basic decryption==
 The easiest way, on a unix-like system is to run
- wireshark -K PATH_TO_KEYTAB
+ wireshark -K <PATH TO KEYTAB> <PCAP FILE>
 Note: Wireshark for 64-bit Windows (GUI or command-line) doesn't like the -K flag, [http://ask.wireshark.org/questions/7408/keytab-kerberos run the 32-bit Windows version instead].
-The other way, is to specify it in Preferences -> Protocols -> KRB5 -> keytab path
+The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path
-Either way, you must set Preferences -> Protocols -> KRB5 -> Try to decrypt encrypted Kerberos blobs
-(otherwise it won't try).
 To get the keytab, see [[Keytab_Extraction|How to extract a keytab from a windows domain with Samba]]