Decryption of NTLMSSP v1 over DCE/RPC

Devin Heitmueller dheitmueller at
Fri Dec 6 18:11:00 GMT 2002


I am working on an Ethereal dissector for the NTLMSSP v1 protocol to
allow decryption of DCE/RPC traffic if the user provides a password.  So
far, I am able to create the SSP key properly (based on the challenge
and the LM hash), and am able to decrypt the first packet in the stream.

Here's the problem.  Can anyone provide any info on how the RC4 state
table is managed between packets?  I assume that the state is maintained
between packets.  Are separate state tables maintained for each traffic
direction (c->s versus s->c)?  Does it re-initialize the state on every
packet?  Does the peer use the same table for both encryption and

The first packet in the message gets properly decrypted, but all
subsequent packets fail.  Any info that can be provided on how RC4 state
is managed would be quite helpful.

Thanks in advance.

Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc

More information about the samba-technical mailing list