Wireshark Decryption: Difference between revisions
From SambaWiki
(new page hinting on the kerberos decryption trick with Wireshark) |
|||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=Using Wireshark with a keytab to decrypt encrypted traffic= |
=Using Wireshark with a keytab to decrypt encrypted traffic= |
||
==Prerequisite== |
|||
You only need to do that once: |
|||
* Open Wireshark |
|||
* Goto: Preferences -> Protocols -> KRB5 |
|||
⚫ | |||
==Basic decryption== |
==Basic decryption== |
||
The easiest way, on a unix-like system is to run |
The easiest way, on a unix-like system is to run |
||
wireshark -K |
wireshark -K <PATH TO KEYTAB> <PCAP FILE> |
||
Note: Wireshark for 64-bit Windows (GUI or command-line) doesn't like the -K flag, [http://ask.wireshark.org/questions/7408/keytab-kerberos run the 32-bit Windows version instead]. |
|||
The other way, is to specify |
The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path |
||
===How to extract the keytab?=== |
|||
⚫ | |||
(otherwise it won't try). |
|||
See: [[Keytab_Extraction|How to extract a keytab from a windows domain with Samba]] |
|||
==Decrypted AES DCE/RPC== |
==Decrypted AES DCE/RPC== |
||
Line 17: | Line 26: | ||
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi |
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi |
||
git://git.samba.org/metze/wireshark/wip.git ws-metze- |
git://git.samba.org/metze/wireshark/wip.git ws-metze-gssapi |
||
Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to [ |
Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to [http://web.mit.edu/Kerberos/ MIT Kerberos] 1.6, and set LD_LIBRARY_PATH to wherever you put the result. |
Revision as of 15:47, 10 January 2018
Using Wireshark with a keytab to decrypt encrypted traffic
Prerequisite
You only need to do that once:
- Open Wireshark
- Goto: Preferences -> Protocols -> KRB5
- Select: Try to decrypt encrypted Kerberos blobs
Basic decryption
The easiest way, on a unix-like system is to run
wireshark -K <PATH TO KEYTAB> <PCAP FILE>
Note: Wireshark for 64-bit Windows (GUI or command-line) doesn't like the -K flag, run the 32-bit Windows version instead.
The other way, is to specify the keytab in Preferences -> Protocols -> KRB5 -> keytab path
How to extract the keytab?
See: How to extract a keytab from a windows domain with Samba
Decrypted AES DCE/RPC
To do this, you will need metze's wireshark branch, and his patched verison of MIT Kerberos
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-gssapi git://git.samba.org/metze/wireshark/wip.git ws-metze-gssapi
Also, you will need to apply krb5-1.6-wireshark-hack-01.diff to MIT Kerberos 1.6, and set LD_LIBRARY_PATH to wherever you put the result.