Can Wireshark decrypt Windows RMI packets?

asked 2022-10-22 15:56:53 +0000

2379 ●8 ●48 ●59

updated 2022-10-22 16:03:58 +0000

I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:

The Windows Management Instrumentation Client, wmic.exe
Powershell, using the switch -ComputerName

Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.

Is anybody aware of a similar function in Wireshark?

And yes, I do have a trace file including the required password. Is https://wiki.wireshark.org/SampleCapt... still a good place to upload trace files?

edit retag flag offensive close merge delete

Comments

The location you mention for the capture file is as good as any.

You might be able to see the decrypted data if you capture via an ETW file, e.g. using netsh trace or the new MS tool PacketMon.

grahamb ( 2022-10-24 07:37:54 +0000 )edit

add a comment

Be the first one to answer this question!

Please start posting anonymously - your entry will be published after you log in or create a new account.

Can Wireshark decrypt Windows RMI packets?

Comments

Be the first one to answer this question!

Question Tools

Stats

Related questions

Can Wireshark decrypt Windows RMI packets? edit

Comments

Be the first one to answer this question!

Question Tools

Stats

Related questions

Can Wireshark decrypt Windows RMI packets?