Can Wireshark decrypt Windows RMI packets?
I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:
- The Windows Management Instrumentation Client, wmic.exe
- Powershell, using the switch -ComputerName
Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.
Is anybody aware of a similar function in Wireshark?
And yes, I do have a trace file including the required password. Is https://wiki.wireshark.org/SampleCapt... still a good place to upload trace files?
The location you mention for the capture file is as good as any.
You might be able to see the decrypted data if you capture via an ETW file, e.g. using
netsh trace
or the new MS tool PacketMon.