LDAP ntlmssp not decoding
Hi everyone. I have been trying to find a issue witha piece of software talking with our DCs in NTLM (I know.. sigh..) and I have pinned the problem down to an ldap_modify call. However, neither in windows logs nor anywhere else can I see what it's trying to do.
I have taken several traces of the problem ocuring but no matter how I turn and twist it, I can't get wireshark to decrpyt the LDAP traffic although I understand that it should have been there since version 1.0, basically.
The traffic is going via port 389 and is using NTLMSSP. I see NTLMSSP_NEGOTIATE,NTLMSSP_Challenge, and NTLMSSP_auth just fine - I see that it uses signing and Extended security
However, when I select a packet after the bind (which is correctly marked "LDAP"), it shows me appearantly encrypted raw bytes and the packet info only says "Lightweight Directory Access Protocol" below the TCP line, without a possibility to expand the node or further info
I'm on 3.0.3 in my admin environment and I have tried the following: (note: validated that it behaves the same in 3.4.2)
- Adding a keytab file for the user authenticating against the DC for the bind with HMAC4 and one with all ciphers in
- Setting the "decode as" to LDAP
- Setting the "decode as" to ntlmssp
- Adding a NTLM password into the protocol options
I've been asking Dr Google till his (or her?) ears bled and I have no idea what I'm doing wrong. Can anybody give me a nudge in the right direction?