How to decode traffic as NTLM protocol in Wireshark?

wireshark ntlm
12,153

I'm not quite sure which ports NTLMSSP actually uses, but you could try this Lua-script to register the NTLMSSP-dissectors to your custom port.

local tcp_port_table = DissectorTable.get("tcp.port")
local tcp_ntlmssp_dis = tcp_port_table:get_dissector(445)
tcp_port_table:add(6901, tcp_ntlmssp_dis)

Save this to a file - e.g. ntlmssp.lua - and tell Wireshark to load it, e.g.

$ wireshark -X lua_script:ntlmssp.lua -r trace.pcap

You might have to change the port 445 to what's really needed or register additional ports by adding additional lines like tcp_port_table:get_dissector(4711). If you need UDP as well, do the same for UDP.

Share:
12,153

Related videos on Youtube

Jury
Author by

Jury

Updated on September 18, 2022

Comments

  • Jury
    Jury over 1 year

    I'm trying to debug NTLM authentication issue. One of my ideas was to capture the network traffic and look thougth it. In my case NTLM authentication is going over non-stardart port (6901). Of course, Wireshark can't detect it. But there is no NTLM (NTLMSSP) protocol in the list in Decode as menu. I can't do like here.
    Is there a way to ask Wireshark to decode traffic as NTLM?
    Or I need to modify captured traffic, e.g. change TCP port or somehow another?

    • Marki555
      Marki555 almost 9 years
      Wireshark does support NTLM SSP protocol wireshark.org/docs/dfref/n/ntlmssp.html
    • Jury
      Jury almost 9 years
      It supports, but how to decode raw byte traffic as NTLM?
    • Michael Hampton
      Michael Hampton almost 9 years
      Have you got a very old version of Wireshark then?
    • Jury
      Jury almost 9 years
      I checked for updates rigth now again...
  • Doug
    Doug over 6 years
    I have been trying to get this to work, and have not been successful. What is the proper port for NTLMSSP? If this technique works, it doesn't appear its 445, and I've tried a bunch of others.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Use NTLM Authentication in Web Request in .NET Core
How to decode and play back rtp captured packets using Wireshark?
Python urllib2 HTTPS and proxy NTLM authentication
Java : HTTP(S)/WebServices connections through NTLM proxy
AMR Raw Output from Wireshark not playing in players
How can I dump and decrypt HTTPS traffic from the command line under linux?
Can you check/monitor the client certificates sent in requests using Wireshark?
How can I get jcifs to play nicely with apache axis
TCP Server sends [ACK] followed by [PSH,ACK]
Sniffing Facebook chats with Wireshark