This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a way to configure wireshark to capture NT4 cryptography logon attempts? We are in the final steps before upgrading our Active Directory environment and we want to identify and decommision any outdated boxes without reducing the security level of our environment. Any help would be appreciated.

asked 18 Aug '11, 16:30

worldzfree's gravatar image

worldzfree
1111
accept rate: 0%


What exactly do you mean with "NT4 cyrptography logon attempt"?

SMB sessions are established in multiple phases. The general workflow is this:

Establish TCP session -> Establish NetBIOS session -> Negotiate Protocol -> Session setup

Note that NT4 and older systems will only use TCP port 139 while newer systems also use TCP port 445. When using TCP port 445 no extra packets are exchanged to establish a NetBIOS session.

The multitude of authentication methods is negotiated during the session setup, which is found with the Wireshark filter smb.cmd == 0x73

Lucky for you, operating systems can be identified in the early phases of session setup. Wireshark displays the operating system in the field smb.native_lanman

One easy way to identify all the operating systems observed at your capture point is this handy spell:

tshark -r myfile.pcap -R "smb.cmd==0x73 and smb.native_lanman" -Tfields -e ip.src -e smb.native_lanman

If you are running under Linux/Unix you can pipe the output to a sort command:

tshark -r myfile.pcap -R "smb.cmd==0x73 and smb.native_lanman" -Tfields -e ip.src -e smb.native_lanman | sort | uniq -c

voila.

Hth, Good hunting!

permanent link

answered 20 Aug '11, 03:22

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×3
×1
×1

question asked: 18 Aug '11, 16:30

question was seen: 3,150 times

last updated: 20 Aug '11, 03:22

p​o​w​e​r​e​d by O​S​Q​A