Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2022-10-22 15:56:53 +0000

Eddi gravatar image

Can Wireshark decrypt Windows RMI packets?

I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:

  • The Windows Management Instrumentation Client, wmic.exe
  • Powershell, using the switch -ComputerName

Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.

Is anybody aware of a similar function in Wireshark?

Can Wireshark decrypt Windows RMI packets?

I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:

  • The Windows Management Instrumentation Client, wmic.exe
  • Powershell, using the switch -ComputerName

Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.

Is anybody aware of a similar function in Wireshark?

And yes, I do have a trace file including the required password. Is https://wiki.wireshark.org/SampleCaptures still a good place to upload trace files?