Wireshark Decryption: Difference between revisions
From SambaWiki
(new page hinting on the kerberos decryption trick with Wireshark) |
(→Decrypted AES DCE/RPC: Fix Kerberos link and branch name of git tree.) |
||
Line 17: | Line 17: | ||
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi |
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi |
||
git://git.samba.org/metze/wireshark/wip.git ws-metze- |
git://git.samba.org/metze/wireshark/wip.git ws-metze-gssapi |
||
Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to [ |
Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to [http://web.mit.edu/Kerberos/ MIT Kerberos] 1.6, and set LD_LIBRARY_PATH to wherever you put the result. |
Revision as of 09:23, 4 August 2010
Using Wireshark with a keytab to decrypt encrypted traffic
Basic decryption
The easiest way, on a unix-like system is to run
wireshark -K PATH_TO_KEYTAB
The other way, is to specify it in Preferences -> Protocols -> KRB5 -> keytab path
Either way, you must set Preferences -> Protocols -> KRB5 -> Try to decrypt encrypted Kerberos blobs (otherwise it won't try).
To get the keytab, see How to extract a keytab from a windows domain with Samba
Decrypted AES DCE/RPC
To do this, you will need metze's wireshark branch, and his patched verison of MIT Kerberos
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi git://git.samba.org/metze/wireshark/wip.git ws-metze-gssapi
Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to MIT Kerberos 1.6, and set LD_LIBRARY_PATH to wherever you put the result.