Decrypt kerberos traffic with wireshark using exported keytab

asked 2019-07-26 08:15:04 +0000

Beit Dagan gravatar image

Hey everyone,

It has been two days in a row that I spend hours trying to decrypt kerberos traffic using wireshark.

For learning purposes, I want to be able to read the encrypted parts of tickets and authenticators inside of wireshark.

I know its possible and wireshark supply an option to import a keytab file.

I read about a tool named ktexport, but I searched all over and it is nowhere to be found.

So I tried ktpass, but it seems like it not meant for that purpose, and it didn't work for me anyhow.

My last resort was Wireshark's kerberos examples, that come with a keytab file, but they are not working either.

Can anyone help me?

edit retag flag offensive close merge delete

Comments

The krb-816 capture from the Wiki page on Kerberos decrypts for me. What's your Wireshark version? Please post the info from Help -> About Wireshark -> Wireshark tab.

grahamb gravatar imagegrahamb ( 2019-07-26 09:41:39 +0000 )edit

Tried that with 3.0.3 (32 bit) and with 3.0.0 (64 bit).

Beit Dagan gravatar imageBeit Dagan ( 2019-07-26 09:46:17 +0000 )edit

Could you post the info I requested, it has more than just the version number?

grahamb gravatar imagegrahamb ( 2019-07-26 10:03:20 +0000 )edit

https://ibb.co/3vVyf4c

Beit Dagan gravatar imageBeit Dagan ( 2019-07-26 10:11:56 +0000 )edit

Thanks, looks like a release Windows 3.0 build with the expected crypto libs. I can't think why the krb-816 capture isn't working for you then, although I am using a dev 3.1 build, I don't think much if anything has changed in this area. Just to eliminate any doubt could you try the brand new 3.1 dev release from here.

FYI, the text from the help dialog can be highlighted and copied to the clipboard and then pasted into a comment, rather than bothering with an image.

grahamb gravatar imagegrahamb ( 2019-07-26 10:57:43 +0000 )edit

It works in my Kali machine. Do you know anything about ktexport?

Beit Dagan gravatar imageBeit Dagan ( 2019-07-26 17:02:47 +0000 )edit

Just to confirm, the krb-816 capture decrypts on Kali, what Wireshark version is that?

grahamb gravatar imagegrahamb ( 2019-07-27 11:27:20 +0000 )edit

Kali version info:

Version 2.6.3 (Git v2.6.3 packaged as 2.6.3-1) 

Copyright 1998-2018 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.11.1, with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.56.1, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.5.19, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.32.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with SBC, with SpanDSP, without bcg729. 

Running on Linux 4 ...
(more)
Beit Dagan gravatar imageBeit Dagan ( 2019-07-27 11:49:54 +0000 )edit
see more comments