Decrypt Kerberos/NTLM “encrypted stub data” in Wireshark
2023-07-05, 14:00–14:35 (Europe/Paris), Amphitheater

We often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC! But we are often interrupted in our enthusiasm by the payload dissected as “encrypted stub data”. Until we discover that Wireshark has a helpful feature to decrypt this traffic, which is protected by secrets derived from the prior Kerberos or NTLM authentication. We will briefly describe the theory and show in practice how to configure Wireshark, and fill the required keytab file, so this “encrypted stub data” gets decrypted. This feature will offer you more visibility into those protocols in your future network analysis sessions (security research, network forensics, etc.)

See also:

Clément Notin has been a cybersecurity engineer for around ten years.
He started as a pentester and auditor, first in a consulting company, then, for a global French industrial group.
He is now a researcher in Active Directory security for Tenable in order to contribute to the product that allows to identify in real time the weaknesses of such environments and detect the attacks underway.