Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] TShark -T fields and kerberos decryption - clean version

From: Nicolas BONNAND <nbonnand@xxxxxxx>
Date: Fri, 18 Sep 2009 17:59:37 +0200
Repost with the * mess removed - sorry


Hi,

I'm facing the same problem as Guy.

What I need:
-------------------

To write a perl script that uses tshark output to retrieve client name principals in kerberos AS-REQ packets in order to make stats and early detect password attacks. This script triggers an alarm if too many password attempts come from the same host.

In this case, I want to be informed what principal name was used.

I have:
-----------------------
- capture file with thousands of Kerberos AS-REQ packets.
- tshark  1.2.2
- perl
- linux

What I would like:
------------------------------

To have a tshark 3 columns output with: ipsource, ipdest and clientnameprincipal

( This output will be processed by a perl script. )

What my problem is:
------------------------------

When using tshark -T fields -e 'ip.src' -e 'ip.dst' -e 'kerberos.name_string', it seems unfortunately that server name is displayed rather than client name principal.

When I analyze my capture file with wireshark, I can see hundreds of client name principals. When I analyze my capture file with tshark -T fields -e 'kerberos.name_string' , I can see none of them and get server names and realms instead ... :-(


I'm only able to see client name principals:
a) while using tshark -V
but I don't want that option because it's far too verbose.
b) while using tshark -T fields -e 'kerberos.name_string' -w outputfile
but client name principals are lost among binary stuff in outputfile
In both case a) and b)  output data is not simple to parse.


By the way, in wireshark , whether I select "Kerberos AS_REQ/KDC_REQ_BODY / Server Name / Name" or "Kerberos AS_REQ/KDC_REQ_BODY/Client Name Principal/Name" and then I click on "apply as filter": I can see that filter has exactly the same name "kerberos.name_string" !!! As far as I understand, kerberos.name_string is not related to a particular field in kerberos part, it simply means: match to whatever string wherever it is in kerberos part.


My question is
--------------------

What is the most correct way, and what are right tshark arguments to use in order to catch client name principals with tshark ? Is it possible to use some syntax looking like tshark -T fields -e 'kerberos[x:y]' to display only y bytes starting from byte x in kerberos part of packet ?


Regards

Nicolas BONNAND





>From: j.snelders@xxxxxxxxxx <mailto:j.snelders@xxxxxxxxxxxxx>
>Date: Sun, 19 Jul 2009 20:10:25 +0200
>
>
>    Hi Guy,
>
>    Are you looking for this:
> $ tshark -r dc3-dc4_Stream_8364.pcap -T fields -e kerberos.name_string |
>    sort | uniq
>
>    Output:
>    Administrator
>    added key in 4
>    added key in 5
>    woohoo decrypted keytype:23 in frame:4
>    woohoo decrypted keytype:23 in frame:5
>
>    HTH
>    Joan
>
>
>
>>        On Sun, 19 Jul 2009 11:32:56 +0200 Guy Shtub wrote:
>>        Hi,
>> I'm using TShark to capture SMB packets, using the "-T fields" flag to get
>>        specific fields of the packets that interest me.
>>        I'm able to decrypt kerberos (krb5) using a keytab file.
>> I can not find a way to get the decrypted Client Name (Principal) when using
>>        the -T fields option.
>>        If I run TShark in verbose mode -V I can get the client name.
>> If I run it with -x mode to display all bytes, I get all the bytes encrypted
>>        followed by all the bytes decrypted.
>>
>> Is there a way to get just the client name field decrypted with the -T
>>        fields option?
>>
>>        Regards,
>>        Guy.

My question is
--------------------

What is the most correct way, and what are right tshark arguments to use in order to catch client name principals with tshark ? Is it possible to use some syntax looking like tshark -T fields -e 'kerberos[x:y]' to display only y bytes starting from byte x in kerberos part of packet ?


Regards

Nicolas BONNAND



***********************************************************************************
This e-mail is confidential, the property of NDS Ltd and intended for the addressee only.  Any dissemination, copying or distribution of this message or any attachments by anyone other than the intended recipient is strictly prohibited.  If you have received this message in error, please immediately notify the postmaster@xxxxxxx and destroy the original message.  Messages sent to and from NDS may be monitored.  NDS cannot guarantee any message delivery method is secure or error-free.  Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.  We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.  You should carry out your own virus checks before opening any attachment.  Any views or opinions presented are solely those of the author and do not necessarily represent those of NDS.

To protect the environment please do not print this e-mail unless necessary.

NDS Limited Registered office: One Heathrow Boulevard, 286 Bath Road, West Drayton, Middlesex, UB7 0DQ, United Kingdom. A company registered in England and Wales  Registered no. 3080780   VAT no. GB 603 8808 40-00
***********************************************************************************