Maveris Labs
Published in

Maveris Labs

Decrypting SMB3 Traffic with just a PCAP? Absolutely (maybe.)

The challenge “Stolen Research” on the Space Race CTF
Screenshot displaying the Encrypted SMB3 packets
Not going to lie, this was definitely me for a bit
Screenshot of the Session ID (fe3f6db000000000)
Screenshot of the Session Key (b35056d4bb7f4382ee7aabd0f055bad0)
Insertion of Session ID and Key into Wireshark
Whomp Whomp :-/ No dice. Looks like the Session key in the packet is not able to decrypt SMB3 traffic…
SMB Dialect is 3.1.1 according to Server Response
My assumption of that poor soul trying to mess with Session Keys in meme format
-User’s password or NTLM hash
-User’s domain
-User’s username
-Key Exchange Key (Also known as the NTLMv2 Session Base Key)
-Encrypted Session Key
-Unicode (utf-16le) of password-MD4 hash of the above (This is also the NTLM Hash of the password)-Unicode(utf-16le) and Uppercase of Username and Domain/Workgroup together -Calculating the ResponseKeyNT via HMAC_MD5(NTLM Hash, Unicode of User/Domain above)-NTProofStr (can be calculated but not needed as it is present in the PCAP)-Calculating the KeyExchangeKey via HMAC_MD5(ResponseKeyNT,NTProofStr)-Decrypt the Encrypted Session Key via RC4 and the Key Exchange Key to finally get the Random Session Key
user= “test” 
domain= “workgroup”
password = “test”
NTProofStr = a0e42a75c54bbb0fab814593569faa22
EncryptedSessionKey = C914ADCEB0F1C32FB7C2548D8D959F01
hash = MD4(password.encode(‘utf16-le’))
# hash is 0cb6948805f797bf2a82807973b89537
ResponseKeyNT(HMAC_MD5(hash, (user.toUpper()+domain.toUpper()).encode(‘utf16-le’)))
# ResponseKeyNT is f31eb9f73fc9d5405f9ae516fb068315
KeyExchangeKey=HMAC_MD5(ResponseKeyNT, NTProofStr)
# KeyExchangeKey is fd160d4ed7f2cb38f64262d7617f23b3
RandomSessionKey = RC4(KeyExchangeKey,EncryptedSessionKey)
# RandomSessionKey is 4462b99bb21423c29dbb4b4a983fde03
NTProofSTR, Domain, and Username all provided by Client Request
NTLM Server Challenge from Server Response
.\mp64.exe -o 3ight.txt ?d?d?d?d?d?d?d?d
.\mp64.exe -o Se7en.txt ?d?d?d?d?d?d?d
Mask Processor output. Look how large 8 digits alone is.
hashcat.exe -a 1 -m 5600 crackme.txt rockyou-75.txt Se7en.txt --rule-left=c
Screenshot of successful crack of NTLMv2 Hash for the challenge
Oh look! It’s a bird, it’s a plane, it’s… a PASSWORD!!!
Python2 I can’t quit you. You’ve gotten me through so much. If anyone wants to upgrade this to Python3, please!
python2 --user administrator --domain jupiter \
--password Shuttle9812983 \
--ntproofstr c9396ea910bd92e58c60de983db0bcf7 \
--key b35056d4bb7f4382ee7aabd0f055bad0 -v
PASS HASH: f00ec4c6994a282a82cb03c0a981a014
RESP NT: 3b1c956f98de231d413af796f9fd681a
NT PROOF: c9396ea910bd92e58c60de983db0bcf7
KeyExKey: eab9e089692dd2dc6496142a78e692ad
Random SK: ba05e83790ffc59a5ada30becc4ea8c8
Screenshot showing decryption was indeed possible!!!
It was then possible to export files from the encrypted session
Contents of research.png



Maveris Labs is a space for employees and customers to ask and explore answers to their burning “what if…” questions and to expand the limits of what is possible in IT and cybersecurity. To learn more visit

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Khris Tolbert

Sometimes things break and I happen to be behind the keyboard. I’m just as confused as you are.