Kerberos is a service that provides mutual authentication between users and services in a network. It is popular both in Unix and Windows (Active Directory) environments.


Initially Kerberos was developed and deployed as part of the Athena project. This version of the Kerberos service and protocol was version 4. While Kerberos v4 still has limited use in AFS environments, it has largely been replaced by Kerberos v5 in all other environments.

There is no official specification for Kerberos v4 but Wireshark does support the "original" version of this protocol. Wireshark also has limited support for some extensions to Kerberos v4 which Transarc introduced for their AFS implementation.

Kerberos 5 is fully standardized and many implementations exist today. The most common implementations are Heimdal Kerberos, MIT Kerberos and Microsofts implementation used in W2K and later.

Kerberos was initially developed as a pure authentication system but is today also used to provide a transport for authorization data as well using extensions such as PKINIT/X.509 and Microsoft PAC structures.

Protocol dependencies

Example traffic


The Kerberos dissector is fully functional and can if compiled and linked with either Heimdal or MIT kerberos libraries decrypt Kerberos tickets given that a keytab file containing the shared secrets is provided. This support is available for Linux/Unix. Windows support for this feature was added in 0.99.3. This feature also provides decryption of several protocols using GSS-API and Kerberos such as LDAP and DCE/RPC.

You can refer to this tutorial: Decrypt Kerberos/NTLM “encrypted stub data” in Wireshark, or the steps below.

How to Create Keytab File

Various utilities can be used to create a keytab file on various OSes.


Both MIT and Heimdal Kerberos provide a tool called ktutil. It can be used to create a keytab file if you already know the principal's password or Kerberos key.

First example: the following commands create a keytab file for a user in a Windows domain if you know the password. Here the MIT version of ktutil is used.

ktutil: addent -password -p username/ -k <kvno> -e aes256-cts-hmac-sha1-96
ktutil: wkt ./keytab.file
ktutil: quit

AES256 is used by default in modern Windows environments. Use rc4-hmac for older environments (see the etype field to know the exact algorithm used).

Second example: this time creating a keytab file if you know the key, and using algorithm rc4-hmac because the key is actually the NT hash (see NTLMSSP)

$ ktutil
ktutil:  addent -p -k 1 -key -e rc4-hmac
Key for (hex): 5c4dbe6a8a44446f8d2899ff08ea14f2
ktutil:  wkt ins.keytab
ktutil:  q

A tool from Windows 2003 support tools, called ktpass.exe, can also create a keytab file. Please note that only the latest version from the Windows 2003 SP1 support tools supports RC4 keys. The below is an sample ktpass.exe command line dialog for exporting a computer account principal (note that resetting the password on a computer account of a machine joined to the domain could be bad - use ktexport.exe instead).

C:\temp> ktpass /out quark.keytab /mapuser quark$@FOO.NET /princ cifs/ /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
Targeting domain controller:
Using legacy password setting method
Successfully mapped cifs/ to quark$.
WARNING: Account quark$ is not a user account (uacflags=0x1021).
WARNING: Resetting quark$'s password may cause authentication problems if quark$ is being used as a server.

Reset quark$'s password [y/n]?  y
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to quark.keytab:
Keytab version: 0x502
keysize 64 cifs/ ptype 1 (KRB5_NT_PRINCIPAL) vno 3
etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)

The ktexport utility may be used to dump all RC4 keys on a Windows domain controller to a keytab file. This method may be superior to using ktpass.exe because it does not reset passwords. The ktexport package is just a modification of the pwdump2 program from Simply run ktexport.exe on the target domain controller. A sam.keytab file will be generated in the current directory. Unfortunately, aside from the RC4 keys, most of the other data in the keytab is WRONG. However, it turns out that Wireshark doesn't care. So the generated sam.keytab can be used with Wireshark to decrypt Kerberos tickets. Note that the ktexport.exe program will not run over Remote Desktop or similar but see REAME.ktexport for a workaround.


The NTDSXtract framework may be used to dump all Kerberos keys on a Windows Domain Controller to a keytab file. This method does not reset passwords and does not modify anything on Domain Controller. Unfortunately, aside from the Kerberos keys, most of the other data in the keytab is WRONG. However, it turns out that Wireshark doesn't care. See release notes in NTDSXtract distribution for further details.

To dump Kerberos keys follow the steps:

Specifying the keytab file to use

You can specify the filename of the keytab file to use in the KRB5 preferences (main menu, Edit menu, Preferences menu item, in the left tree of Preferences dialog expand Protocols, select KRB5 protocol, on the right panel specify Kerberos keytab file). You can also specify the keytab file(s) to load on the command line using the -K option. You can use this option multiple times to load multiple keytab files.

Limitations in older version of Wireshark (< 1.10.3):

There was a bug in the Windows version around 1.10.3. It is now fixed. For reference, you could only specify a filename and not a full path. This meant that you had to store the keytab file in the same directory as where your capture file was stored (which becomes the current working directory for wireshark) and then you specify just the keytab filename without the path.

Similarly, only 32-bit Windows version of Wireshark could decrypt Kerberos traffic around version 1.10.3. It is now fixed. For reference, 64-bit Windows version was compiled without Kerberos support. Open Wireshark About Dialog. In 64-bit version you could see see "Compiled (64-bit) ... without Kerberos ...".

Preference Settings

Example capture file

SampleCaptures/ Zip archive containing Kerberos traffic capture and keytab file.

SampleCaptures/ An example of Kerberos Delegation in Windows Active Directory. Keytab file is also included. Please use Wireshark 0.10.14 SVN 17272 or above to open the trace.

SampleCaptures/ An example of Kerberos constrained delegation (s4U2Proxy) in Windows 2003 domain.

Display Filter

A complete list of Kerberos display filter fields can be found in the display filter reference

Show only the Kerberos v5 traffic:


Show only the Kerberos v4 traffic:


Capture Filter

You cannot directly filter Kerberos protocols while capturing. However, if you know the port used (see above), you can filter on that one.

Capture Kerberos traffic over the default UDP port (88):

 udp port 88

Capture Kerberos traffic over the default TCP port (88):

 tcp port 88

External links



Imported from on 2020-08-11 23:15:46 UTC