Is there a way to configure wireshark to capture NT4 cryptography logon attempts? We are in the final steps before upgrading our Active Directory environment and we want to identify and decommision any outdated boxes without reducing the security level of our environment. Any help would be appreciated. asked 18 Aug '11, 16:30  worldzfree |
One Answer:
What exactly do you mean with "NT4 cyrptography logon attempt"? SMB sessions are established in multiple phases. The general workflow is this: Establish TCP session -> Establish NetBIOS session -> Negotiate Protocol -> Session setup Note that NT4 and older systems will only use TCP port 139 while newer systems also use TCP port 445. When using TCP port 445 no extra packets are exchanged to establish a NetBIOS session. The multitude of authentication methods is negotiated during the session setup, which is found with the Wireshark filter smb.cmd == 0x73 Lucky for you, operating systems can be identified in the early phases of session setup. Wireshark displays the operating system in the field smb.native_lanman One easy way to identify all the operating systems observed at your capture point is this handy spell:
If you are running under Linux/Unix you can pipe the output to a sort command:
voila. Hth, Good hunting! answered 20 Aug '11, 03:22  packethunter |
