Ask Your Question

LDAP ntlmssp not decoding

asked 2021-01-27 14:00:37 +0000

TheBrainSpecialist gravatar image

updated 2021-01-28 10:47:56 +0000

Hi everyone. I have been trying to find a issue witha piece of software talking with our DCs in NTLM (I know.. sigh..) and I have pinned the problem down to an ldap_modify call. However, neither in windows logs nor anywhere else can I see what it's trying to do.

I have taken several traces of the problem ocuring but no matter how I turn and twist it, I can't get wireshark to decrpyt the LDAP traffic although I understand that it should have been there since version 1.0, basically.

The traffic is going via port 389 and is using NTLMSSP. I see NTLMSSP_NEGOTIATE,NTLMSSP_Challenge, and NTLMSSP_auth just fine - I see that it uses signing and Extended security

However, when I select a packet after the bind (which is correctly marked "LDAP"), it shows me appearantly encrypted raw bytes and the packet info only says "Lightweight Directory Access Protocol" below the TCP line, without a possibility to expand the node or further info

I'm on 3.0.3 in my admin environment and I have tried the following: (note: validated that it behaves the same in 3.4.2)

  1. Adding a keytab file for the user authenticating against the DC for the bind with HMAC4 and one with all ciphers in
  2. Setting the "decode as" to LDAP
  3. Setting the "decode as" to ntlmssp
  4. Adding a NTLM password into the protocol options

I've been asking Dr Google till his (or her?) ears bled and I have no idea what I'm doing wrong. Can anybody give me a nudge in the right direction?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-01-27 19:35:04 +0000

Chuckc gravatar image

updated 2021-01-27 19:37:19 +0000

Existing open issue - 15128 Cannot parse some LDAP requests

Older closed issue 1148 with a different sample pcap.
(Available on Internet Archive )

3.0.3 is pretty old but I see the same issue in 3.4.2. You might add a comment to the open issue to bring it back to the top of the current issues.

edit flag offensive delete link more


Thanks for this note - however, the picture here is different - in this case, the packet "dump" shows cleartext data and we're in SASL.. I have no cleartext in my packet display and am on a different security mode

TheBrainSpecialist gravatar imageTheBrainSpecialist ( 2021-01-28 08:49:00 +0000 )edit

Did you check the pcap for issue 1148? Or can you share one of your pcaps?

Chuckc gravatar imageChuckc ( 2021-01-28 21:10:28 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-01-27 14:00:37 +0000

Seen: 454 times

Last updated: Jan 28 '21