Decrypt Kerberos/NTLM “encrypted stub data” in Wireshark
| Key | Action |
|---|---|
| K or space | Play / Pause |
| M | Mute / Unmute |
| C | Select next subtitles |
| A | Select next audio track |
| V | Show slide in full page or toggle automatic source change |
| left arrow | Seek 5s backward |
| right arrow | Seek 5s forward |
| shift + left arrow or J | Seek 10s backward |
| shift + right arrow or L | Seek 10s forward |
| control + left arrow | Seek 60s backward |
| control + right arrow | Seek 60s forward |
| shift + down arrow | Decrease volume |
| shift + up arrow | Increase volume |
| shift + comma | Decrease playback rate |
| shift + dot or shift + semicolon | Increase playback rate |
| end | Seek to end |
| beginning | Seek to beginning |
Share this media
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamInformation on this media
Links:
Number of views:
94 (this month: 6)Creation date:
July 5, 2023Speakers:
Clément NotinLicense:
CC BY-SA v4Description
We often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC! But we are often interrupted in our enthusiasm by the payload dissected as “encrypted stub data”. Until we discover that Wireshark has a helpful feature to decrypt this traffic, which is protected by secrets derived from the prior Kerberos or NTLM authentication. We will briefly describe the theory and show in practice how to configure Wireshark, and fill the required keytab file, so this “encrypted stub data” gets decrypted. This feature will offer you more visibility into those protocols in your future network analysis sessions (security research, network forensics, etc.)
See also: Exercise files if you want to follow along or train yourself after the sessionClément Notin has been a cybersecurity engineer for around ten years.
He started as a pentester and auditor, first in a consulting company, then, for a global French industrial group.
He is now a researcher in Active Directory security for Tenable in order to contribute to the Tenable.ad product that allows to identify in real time the weaknesses of such environments and detect the attacks underway.
Other media in the channel "2023"
96 views, 3 this monthWhy cyberoffense will never be regulatedJuly 5th, 2023
23 views, 1 this monthUsing Suricata to detect lateral movement in Windows environmentJuly 5th, 2023
15 views, 2 this monthHow to survive to STIX parsing?July 5th, 2023
13 views, 1 this monthASN.1 templating for fun and profitJuly 5th, 2023
5 views, 1 this monthzekrom: an open-source library of arithmetization-oriented constructions for zkSNARK circuitsJuly 5th, 2023
37 views, 2 this monthPHP filter chains: How to use itJuly 5th, 2023