Wireshark Decryption

From SambaWiki
Revision as of 03:39, 26 February 2010 by Abartlet (talk | contribs) (new page hinting on the kerberos decryption trick with Wireshark)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Using Wireshark with a keytab to decrypt encrypted traffic

Basic decryption

The easiest way, on a unix-like system is to run

wireshark -K PATH_TO_KEYTAB

The other way, is to specify it in Preferences -> Protocols -> KRB5 -> keytab path

Either way, you must set Preferences -> Protocols -> KRB5 -> Try to decrypt encrypted Kerberos blobs (otherwise it won't try).

To get the keytab, see How to extract a keytab from a windows domain with Samba

Decrypted AES DCE/RPC

To do this, you will need metze's wireshark branch, and his patched verison of MIT Kerberos

http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi git://git.samba.org/metze/wireshark/wip.git ws-metze-gsspai

Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to http://web.mit.edu/Kerberos/ 1.6, and set LD_LIBRARY_PATH to wherever you put the result.