Can Wireshark decrypt Windows RMI packets?

asked 2022-10-22 15:56:53 +0000

Eddi gravatar image

updated 2022-10-22 16:03:58 +0000

I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:

  • The Windows Management Instrumentation Client, wmic.exe
  • Powershell, using the switch -ComputerName

Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.

Is anybody aware of a similar function in Wireshark?

And yes, I do have a trace file including the required password. Is still a good place to upload trace files?

edit retag flag offensive close merge delete


The location you mention for the capture file is as good as any.

You might be able to see the decrypted data if you capture via an ETW file, e.g. using netsh trace or the new MS tool PacketMon.

grahamb gravatar imagegrahamb ( 2022-10-24 07:37:54 +0000 )edit