This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capturing nt4 cryptography logon attempts?

0

Is there a way to configure wireshark to capture NT4 cryptography logon attempts? We are in the final steps before upgrading our Active Directory environment and we want to identify and decommision any outdated boxes without reducing the security level of our environment. Any help would be appreciated.

asked 18 Aug '11, 16:30

worldzfree's gravatar image

worldzfree
1111
accept rate: 0%


One Answer:

0

What exactly do you mean with "NT4 cyrptography logon attempt"?

SMB sessions are established in multiple phases. The general workflow is this:

Establish TCP session -> Establish NetBIOS session -> Negotiate Protocol -> Session setup

Note that NT4 and older systems will only use TCP port 139 while newer systems also use TCP port 445. When using TCP port 445 no extra packets are exchanged to establish a NetBIOS session.

The multitude of authentication methods is negotiated during the session setup, which is found with the Wireshark filter smb.cmd == 0x73

Lucky for you, operating systems can be identified in the early phases of session setup. Wireshark displays the operating system in the field smb.native_lanman

One easy way to identify all the operating systems observed at your capture point is this handy spell:

tshark -r myfile.pcap -R "smb.cmd==0x73 and smb.native_lanman" -Tfields -e ip.src -e smb.native_lanman

If you are running under Linux/Unix you can pipe the output to a sort command:

tshark -r myfile.pcap -R "smb.cmd==0x73 and smb.native_lanman" -Tfields -e ip.src -e smb.native_lanman | sort | uniq -c

voila.

Hth, Good hunting!

answered 20 Aug '11, 03:22

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%