Decryption of: DCE/RPC with NTLMSSP

1.4k views Asked by At

I have pcap containing DCE/RPC traffic whith authentication over NTLMSSP at the beginning. Is it possible with Wireshark (or other tool) to decrypt DCE/RPC communication provided I have NTLMSSP NT password? In Wireshark Protocol preferences I entered the NT Password under NTLMSSP tab, but still in DCE/RPC packets I see "Ecrypted stub data" instead of decrypted content...

1

There are 1 answers

0
cnotin On

Yes it is possible using the "NT Password" setting you noticed in the NTLMSSP protocol preferences.

Just ensure to use the cleartext password (and not its NTLM hash). Also, only ASCII passwords are supported according to the source-code (function str_to_unicode).

This was not documented yet so I created the NTLMSSP page on the Wireshark wiki and as I described in this