Wireshark-users: [Wireshark-users] Need help in understanding the "Signature Generation" for SMB
From: "Narendra Kumar S.S" <[email protected]>
Date: Tue, 5 Oct 2010 14:13:22 +0530

     I have a pcap file with smb traffic and I am trying to understand how the signature is generated.
     Using wireshark GUI, I have opened the pcap file and have put a filter, so that I can see the relevant tcp stream only.
     In this stream, the initial authentication is done using NTLMSSP.
     But, after nearly 100 smb packets, suddenly I see a SetupAndX Request/Response, with krb5 AP_REQ and AP_REP.
     I have used the keytab file to decrypt the AP_REP and get the session key.
     Now, the sequence number starts with 0 and I have used that counter to calculate the signature.
     But, the signature that I am getting doesn't match with the original signature.
     I also, tried to count the sequence number starting from the NTLM Request/Response and with that also, the signature doesn't match.

     So, can somebody tell me, if this kind of mixup of NTLM and kerberos packets in a single tcp stream is common?
     And how to get the right signature in this case?

Warm Regards,

Visit my blogs at:
   ___    ___    __    _
  /  __/  /  __/  /     | / /
_\   \   _ \   \   /   /| |/ /
\___/ \___/   /_/ |__/