THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

capture ntlm traffic

Hi,

I searched internet but could not find clear example on how to capture and decode NTLM traffic

I set up capture filter as - src or dst port 135

how traffic displayed as TCP and could not find NTLMSSP as option to decode

is there a way? or some other option/step?

Thanks

edabxv

edabxv's avatar
1
edabxv
asked 2020-05-26 19:10:05 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Port 135 is for the DCE RPC Endpoint Mapper. If Wireshark isn't showing that as DCE RPC, either 1) it's being used for some other purpose or 2) Wireshark's heuristics for detecting DCE RPC traffic aren't working.

MS-RPC is Microsoft's version of DCE RPC; it can use NTLM for authentication, as can a number of other protocols, such as SMB. "NTLM" and "NTLMSSP" aren't, themselves, protocols running directly over TCP, in the sense that you can say "decode this TCP traffic as NTLM" or "decode this TCP traffic as NTLMSSP"; instead, NTLM provides a mechanism for several different protocols to use for authentication, and NTLMSSP runs atop protocols using it for authentication, not atop low-level transport protocols such as TCP.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-05-26 20:11:37 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer