How and where do I find an incorrect password was provided in a capture file? I do not need to know the password, but just what to look for to know for sure an incorrect password was given. asked 08 Mar '17, 12:43  neilinpa |
One Answer:
That totally depends on the protocol and the application. So you need to find out how the protocol transports the password, and then try to find it. These days, chances are that the protocol is using some sort of encryption to transfer passwords, in which case you won't be able to see it. answered 08 Mar '17, 12:47  Jasper ♦♦ |
The only protocols (there is a heading in the capture file) listed are TCP and SMB. I do not necessarily want to see what the password actually is, just where it failed in the capture.
SMB doesn't transfer readable passwords, it uses password hashes. You need to look for SMB return codes telling you that a request failed, e.g. by looking at the "NT Status" fields in the SMB header.
Thanks, I found the line: NT Status: STATUS_LOGON_FAILURE (0XC000006D)
Then I googled that and found: The potential causes for this
a. Verify you are using the correct username or password
So my question has been answered. Thanks for help Jasper.
Great, glad to be of help. You could accept the answer using the checkmark button to the left of it, so others can see it was the one that helped ;-)