Ask Your Question
0

Kerberos decrypt shows error "missing keytype 18"

asked 2021-09-15 03:34:28 +0000

Vishnu G gravatar image

updated 2021-09-16 08:36:31 +0000

We are using Wireshark Version 3.4.8. The Wireshark filter is kerberos. The keytab file is specified in KRB5 protocol preference. Keytab file has the encryption type eTYPE-AES256-CTS-HMAC-SHA1-96(18). But while monitoring the Kerberos traffic "missing keytype 18" error shows. It seems wireshark not using the Keytab file. Please help

edit retag flag offensive close merge delete

Comments

Check the console output to see if the kerberos library spits out error information.

Jaap gravatar imageJaap ( 2021-09-16 09:12:11 +0000 )edit

Sorry, how can I check the console output?

Vishnu G gravatar imageVishnu G ( 2021-09-16 11:23:07 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2021-11-05 13:05:36 +0000

I am experiencing the same issue. I'm using FreeIPA in a test lab and have tried to use Wireshark both on macOS and Ubuntu 21.10 to decode the pcapng file, thinking maybe there is a difference in the Kerberos libraries used.

Here is the contents of my keytab file which was created with ipa-getkeytab

Keytab name: FILE:keytab.file
KVNO Principal
---- --------------------------------------------------------------------------
   3 [email protected] (aes256-cts-hmac-sha1-96)
   3 [email protected] (aes128-cts-hmac-sha1-96)
   2 krbtgt/[email protected] (aes256-cts-hmac-sha1-96)
   2 krbtgt/[email protected] (aes256-cts-hmac-sha384-192)
   2 krbtgt/[email protected] (camellia256-cts-cmac)
   2 krbtgt/[email protected] (aes128-cts-hmac-sha1-96)
   2 krbtgt/[email protected] (aes128-cts-hmac-sha256-128)
   2 krbtgt/[email protected] (camellia128-cts-cmac)

Here is what the Wireshark decode looks like

Kerberos
    as-rep
        pvno: 5
        msg-type: krb-as-rep (11)
        crealm: IDM.EXAMPLE.COM
        cname
        ticket
            tkt-vno: 5
            realm: IDM.EXAMPLE.COM
            sname
                name-type: kRB5-NT-SRV-INST (2)
                sname-string: 2 items
                    SNameString: krbtgt
                    SNameString: IDM.EXAMPLE.COM
            enc-part
                etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                kvno: 1
                cipher: ab1520301d815aa83c1d1d1a02f1582623d9e5d6146115d056e2aef3300ee335c9a26a2c…
                    Missing keytype 18 usage 2 (id=missing.1)
                        [Expert Info (Warning/Decryption): Missing keytype 18 usage 2 (id=missing.1)]
                        [Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
        enc-part
            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
            cipher: bf0a80b204b85200683176877c21d468093beeaab80f182250c1cf6fc6f4133cc77e2474…
                Missing keytype 18 usage 3 (id=missing.2)
                    [Expert Info (Warning/Decryption): Missing keytype 18 usage 3 (id=missing.2)]
                    [Expert Info (Warning/Decryption): Used keymap=all_keys num_keys=10 num_tries=2)]
    Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)
        [Expert Info (Warning/Decryption): Missing keytype 18 usage 2 missing in frame 209 keytype 18 (id=missing.1 same=0) (00000000...)]
    Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)
        [Expert Info (Warning/Decryption): Missing keytype 18 usage 3 missing in frame 209 keytype 18 (id=missing.2 same=0) (00000000...)]

I launch Wireshark from a terminal and do not see any errors being reported.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-09-15 03:34:28 +0000

Seen: 533 times

Last updated: Sep 16 '21