I have been able to get the sample tracefiles from the Wiki
site to decrypt using version 1.0.2 (under Linux only, Windows Wireshark 1.0.2 doesn’t
seem to work with keytab sample files). But I’ve been having a heck
of a time getting keytab to work on my test environment with Wireshark.
No matter what I try, Wireshark won’t decrypt using what I think is a
valid keytab file. I am trying to analyze a Vista machine joining a
Server 2008 Domain. Nothing gets decrypted. I am using keypass that
ships with Server 2008. Here is the command I use to build the keytab
file.
ktpass /out adddn.keytab /princ CIFS/pete-srvr.kbstest.com@xxxxxxxxxxx
/pass * /mapuser chris@xxxxxxxxxxx
/crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
Targeting domain controller:
Pete-srvr.kbstest.com
Using legacy password setting
method
Successfully mapped
CIFS/pete-srvr.kbstest.com to chris.
Key created.
Output keytab to adddn1.keytab:
Keytab version: 0x502
keysize 89 CIFS/pete-srvr.kbstest.com@xxxxxxxxxxx
ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x12 (AES256-SHA1) keylength 32
(0xf4ddfa2378316e2f63e590adc7c377a9aeef313f5eedba087ada9f9212375983)
Thanks, Chris
