Decrypt kerberos traffic with wireshark using exported keytab
Hey everyone,
It has been two days in a row that I spend hours trying to decrypt kerberos traffic using wireshark.
For learning purposes, I want to be able to read the encrypted parts of tickets and authenticators inside of wireshark.
I know its possible and wireshark supply an option to import a keytab file.
I read about a tool named ktexport, but I searched all over and it is nowhere to be found.
So I tried ktpass, but it seems like it not meant for that purpose, and it didn't work for me anyhow.
My last resort was Wireshark's kerberos examples, that come with a keytab file, but they are not working either.
Can anyone help me?
The krb-816 capture from the Wiki page on Kerberos decrypts for me. What's your Wireshark version? Please post the info from Help -> About Wireshark -> Wireshark tab.
Tried that with 3.0.3 (32 bit) and with 3.0.0 (64 bit).
Could you post the info I requested, it has more than just the version number?
https://ibb.co/3vVyf4c
Thanks, looks like a release Windows 3.0 build with the expected crypto libs. I can't think why the krb-816 capture isn't working for you then, although I am using a dev 3.1 build, I don't think much if anything has changed in this area. Just to eliminate any doubt could you try the brand new 3.1 dev release from here.
FYI, the text from the help dialog can be highlighted and copied to the clipboard and then pasted into a comment, rather than bothering with an image.