This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Find bad password attempt in capture file

0

How and where do I find an incorrect password was provided in a capture file? I do not need to know the password, but just what to look for to know for sure an incorrect password was given.

asked 08 Mar '17, 12:43

neilinpa's gravatar image

neilinpa
6112
accept rate: 0%


One Answer:

2

That totally depends on the protocol and the application. So you need to find out how the protocol transports the password, and then try to find it. These days, chances are that the protocol is using some sort of encryption to transfer passwords, in which case you won't be able to see it.

answered 08 Mar '17, 12:47

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

The only protocols (there is a heading in the capture file) listed are TCP and SMB. I do not necessarily want to see what the password actually is, just where it failed in the capture.

(08 Mar '17, 12:55) neilinpa

SMB doesn't transfer readable passwords, it uses password hashes. You need to look for SMB return codes telling you that a request failed, e.g. by looking at the "NT Status" fields in the SMB header.

(08 Mar '17, 12:59) Jasper ♦♦

Thanks, I found the line: NT Status: STATUS_LOGON_FAILURE (0XC000006D)
Then I googled that and found: The potential causes for this

  1. An invalid username and/or password was used

a. Verify you are using the correct username or password

So my question has been answered. Thanks for help Jasper.

(08 Mar '17, 13:16) neilinpa

Great, glad to be of help. You could accept the answer using the checkmark button to the left of it, so others can see it was the one that helped ;-)

(08 Mar '17, 13:20) Jasper ♦♦