2

I'm trying to debug NTLM authentication issue. One of my ideas was to capture the network traffic and look thougth it. In my case NTLM authentication is going over non-stardart port (6901). Of course, Wireshark can't detect it. But there is no NTLM (NTLMSSP) protocol in the list in Decode as menu. I can't do like here.
Is there a way to ask Wireshark to decode traffic as NTLM?
Or I need to modify captured traffic, e.g. change TCP port or somehow another?

Jury
  • 133
  • 1
  • 1
  • 4

2 Answers2

0

I'm not quite sure which ports NTLMSSP actually uses, but you could try this Lua-script to register the NTLMSSP-dissectors to your custom port.

local tcp_port_table = DissectorTable.get("tcp.port")
local tcp_ntlmssp_dis = tcp_port_table:get_dissector(445)
tcp_port_table:add(6901, tcp_ntlmssp_dis)

Save this to a file - e.g. ntlmssp.lua - and tell Wireshark to load it, e.g.

$ wireshark -X lua_script:ntlmssp.lua -r trace.pcap

You might have to change the port 445 to what's really needed or register additional ports by adding additional lines like tcp_port_table:get_dissector(4711). If you need UDP as well, do the same for UDP.

Alexander Janssen
  • 2,607
  • 16
  • 21
  • I have been trying to get this to work, and have not been successful. What is the proper port for NTLMSSP? If this technique works, it doesn't appear its 445, and I've tried a bunch of others. – Doug Jan 10 '18 at 15:07
0

Alexander Janssen's LUA script doesn't work because it's getting the protocol by port number (445 - SMB/CIFS), but can be altered to register the NTLMSSP dissector by name like this:

local tcp_port_table = DissectorTable.get("tcp.port")
local tcp_ntlmssp_dis = Dissector.get("ntlmssp")
tcp_port_table:add(6901, tcp_ntlmssp_dis)

6901 being the port that the NTLMSSP service is running on. For protocols other than NTLMSSP, anything from the list at https://www.wireshark.org/docs/dfref/ should work instead of "ntlmssp".

I tested this successfully last week when analyzing traffic to a different custom NTLMSSP service.

womble
  • 96,255
  • 29
  • 175
  • 230