Dev Center - Desktop >
Viewing NRPC Traffic in Net Mon 3.4

Answered Viewing NRPC Traffic in Net Mon 3.4

  • Friday, July 27, 2012 7:15 PM
     
     
    Sign In to Vote
    0
    Trying to analyze packets that are listed as NRPC. The payload shows encrypted. I need to be able to see into these packets. I am using Microsoft Network Monitor 3.4. The traffic is on a Windows 2008 R2 SP1 server. Help!
     

All Replies

  • Friday, July 27, 2012 9:22 PM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi Moe,

    Unfortunately, Network Monitor 3.4 can't decrypt this sort of traffic. We only have the decryption expert for SSL based encryption over HTTP (that can be found at nmdecrypt.codeplex.com).

    Thanks,

    Michael Hawker | Program Manager | Network Monitor

     
  • Monday, July 30, 2012 12:18 PM
     
     
    Sign In to Vote
    0
    If I open a Microsoft ticket, would it be a correct assumption that Microsoft would have the resources to decrypt this traffic for me?
     
  • Monday, July 30, 2012 3:15 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Moe,

    No that would not be a correct assumption; encryption wouldn't be very secure if it worked that way.

    You would need some information from the server and detailed knowledge of the protocol to work out an algorithm to decrypt it.  You could look at our decryption expert as an example.

    Thanks,

    Michael Hawker | Program Manager | Network Monitor

     
  • Friday, August 03, 2012 6:04 PM
     
     
    Sign In to Vote
    0

    I agree. The event 4776 is logged in the security audit log file, and presents a source machine name. However, the machine name does not resolve to anything on the network. If the OS is able to detect the machine name in the payload, is the IP and MAC data not included with it? Is there any other way of tracking the source machine attempting to authentication to the GUEST account?

     
  • Wednesday, August 08, 2012 2:24 PM
    Owner
     
     
    Sign In to Vote
    0

    It's strange that the name does not resolve.  Maybe there are other surrounding events with more information?  I don't have an example 4776 to look at, but sometimes in the raw data there is more informaiton.  Perhaps you can pickout something that looks like and IPv4/IPv6 address?

    You could try to capture the traffic when the event is recorded.  In fact we have some blogs which describe how to do this if the case it that the event doesn't happen frequently

    http://blogs.technet.com/b/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx

    http://blogs.technet.com/b/netmon/archive/2008/12/12/eventcap-revisited-using-nmapi.aspx

    If performance is an issue with either of these methods, then you'll want to look at:

    http://blogs.technet.com/b/netmon/archive/2010/08/05/using-high-performance-filtering.aspx

    Once you capture this happening, you can look at the trace and discover the hardware/IP address of the authentication request.

    I would also look at: http://social.technet.microsoft.com/Forums/en-GB/exchangesvradmin/thread/8fe0f122-528a-4bf5-b47b-d04e3ae7a7f8 which discusses a similar problem.

    Thanks,

    Paul