Decrypt kerberos traffic with wireshark using exported keytab

asked 2019-07-26 08:15:04 +0000

Beit Dagan gravatar image

Hey everyone,

It has been two days in a row that I spend hours trying to decrypt kerberos traffic using wireshark.

For learning purposes, I want to be able to read the encrypted parts of tickets and authenticators inside of wireshark.

I know its possible and wireshark supply an option to import a keytab file.

I read about a tool named ktexport, but I searched all over and it is nowhere to be found.

So I tried ktpass, but it seems like it not meant for that purpose, and it didn't work for me anyhow.

My last resort was Wireshark's kerberos examples, that come with a keytab file, but they are not working either.

Can anyone help me?

edit retag flag offensive close merge delete


The krb-816 capture from the Wiki page on Kerberos decrypts for me. What's your Wireshark version? Please post the info from Help -> About Wireshark -> Wireshark tab.

grahamb gravatar imagegrahamb ( 2019-07-26 09:41:39 +0000 )edit

Tried that with 3.0.3 (32 bit) and with 3.0.0 (64 bit).

Beit Dagan gravatar imageBeit Dagan ( 2019-07-26 09:46:17 +0000 )edit

Could you post the info I requested, it has more than just the version number?

grahamb gravatar imagegrahamb ( 2019-07-26 10:03:20 +0000 )edit
Beit Dagan gravatar imageBeit Dagan ( 2019-07-26 10:11:56 +0000 )edit

Thanks, looks like a release Windows 3.0 build with the expected crypto libs. I can't think why the krb-816 capture isn't working for you then, although I am using a dev 3.1 build, I don't think much if anything has changed in this area. Just to eliminate any doubt could you try the brand new 3.1 dev release from here.

FYI, the text from the help dialog can be highlighted and copied to the clipboard and then pasted into a comment, rather than bothering with an image.

grahamb gravatar imagegrahamb ( 2019-07-26 10:57:43 +0000 )edit