question

Brian C. avatar image
Brian C. asked ·

Has anyone found a good way to track NTLM traffic in DCRUM

We are trying to find a way to identify applications that are using NTLM and was thinking DCRUM might be able to do it as we can inspect the Packet headers. The problem is I am not seeing NTLM identifiers any where, and was wondering if that is by design that DCRUM filters away that traffic.

Thanks

Brian

nam servernam probe
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

1 Answer

Chris V. avatar image
Chris V. answered ·

For HTTP traffic, I usually follow the 401 (unauthorized) errors. As the 3-way handshake NTLM uses to authenticate a web user each server response has a 401 response code, so services using NTLM authentication will have high numbers of 401 errors (2 per authentication). Once authenticated, the server responds with the requested content and (typically) a 200 response code.

Proxy servers will start with a 407 (proxy authentication required) error. But that isn't specific enough to determine NTLM - it'll behave the same for basic authentication too.

If you wanted to be more specific, you'd have to configure your software services to extract the header info into a misc parameter to count them.

You'll want to look for the header:

NTLMAuthorization: NTLM

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.