Ask Your Question

capture ntlm traffic

asked 2020-05-26 19:10:05 +0000

edabxv gravatar image


I searched internet but could not find clear example on how to capture and decode NTLM traffic

I set up capture filter as - src or dst port 135

how traffic displayed as TCP and could not find NTLMSSP as option to decode

is there a way? or some other option/step?



edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-05-26 20:11:37 +0000

Guy Harris gravatar image

Port 135 is for the DCE RPC Endpoint Mapper. If Wireshark isn't showing that as DCE RPC, either 1) it's being used for some other purpose or 2) Wireshark's heuristics for detecting DCE RPC traffic aren't working.

MS-RPC is Microsoft's version of DCE RPC; it can use NTLM for authentication, as can a number of other protocols, such as SMB. "NTLM" and "NTLMSSP" aren't, themselves, protocols running directly over TCP, in the sense that you can say "decode this TCP traffic as NTLM" or "decode this TCP traffic as NTLMSSP"; instead, NTLM provides a mechanism for several different protocols to use for authentication, and NTLMSSP runs atop protocols using it for authentication, not atop low-level transport protocols such as TCP.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-05-26 19:10:05 +0000

Seen: 7,027 times

Last updated: May 26 '20