Revision history [back]
Can Wireshark decrypt Windows RMI packets?
I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:
- The Windows Management Instrumentation Client, wmic.exe
- Powershell, using the switch -ComputerName
Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.
Is anybody aware of a similar function in Wireshark?
And yes, I do have a trace file including the required password. Is https://wiki.wireshark.org/SampleCaptures still a good place to upload trace files?
Can Wireshark decrypt Windows RMI packets?
I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:
- The Windows Management Instrumentation Client, wmic.exe
- Powershell, using the switch -ComputerName
Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.
Is anybody aware of a similar function in Wireshark?
And yes, I do have a trace file including the required password. Is https://wiki.wireshark.org/SampleCaptures still a good place to upload trace files?