Home > database >  Wireshark Kerberos decrypt shows error "missing keytype 18"
Wireshark Kerberos decrypt shows error "missing keytype 18"

Time:09-24

When trying to decrypt the kerberos by using the keytab file it shows the error "missing keytype 18". The keytab file has the keytype 18.

CodePudding user response:

Based on the information you shared:

SPN: HOST/INTVMDC03.xxxx.com/xxxx.com.

Keytab entries: 1 [email protected] (18:AES256 CTS mode with HMAC SHA1-96)
1 [email protected] (17:AES128 CTS mode with HMAC SHA1-96)
1 [email protected] (20:AES256 CTS mode with HMAC SHA384-192)
1 [email protected] (19:AES128 CTS mode with HMAC SHA256-128)
1 [email protected] (16:DES3 CBC mode with SHA1-KD)
1 [email protected] (23:RC4 with HMAC)

There is no entry corresponding to the SPN being used inside your keytab.
What you need is SPN entries inside keytab, not the UPN entries. Remember that the ticket is issued for the SPN and not the user principal name (UPN). Therefore Kerberos looks for the SPN entry inside keytab for which the ticket is issued.

Please generate a new keytab file and provide SPN.
For windows, you can use ktpass command (usually works on windows server os).
Check Here.

For example:

ktpass /out <filename> /princ <ServicePrincipalName> /mapuser <UserPrincipalName> /pass <UPN password> /crypto ALL /ptype KRB5_NT_PRINCIPAL /kvno 0
  • Related