NetBIOS Filters:
| Notes | Wireshark Filter |
|---|---|
| Global search. | - nbns |
| "NBNS" options for grabbing the low-hanging fruits: - Queries: Query details. - Query details could contain "name, Time to live (TTL) and IP address details" |
- nbns.name contains "keyword" |
Kerberos Analysis
Kerberos is the default authentication service for Microsoft Windows domains. It is responsible for authenticating service requests between two or more computers over the untrusted network. The ultimate aim is to prove identity securely.
Kerberos investigation in a nutshell:
| Notes | Wireshark Filter |
|---|---|
| Global search. | - kerberos |
| User account search: - CNameString: The username. Note: Some packets could provide hostname information in this field. To avoid this confusion, filter the "$" value. The values end with "$" are hostnames, and the ones without it are user names. |
- kerberos.CNameString contains "keyword" - kerberos.CNameString and !(kerberos.CNameString contains "$" ) |
| "Kerberos" options for grabbing the low-hanging fruits: - pvno: Protocol version. - realm: Domain name for the generated ticket. - sname: Service and domain name for the generated ticket. - addresses: Client IP address and NetBIOS name. Note: the "addresses" information is only available in request packets. |
- kerberos.pvno == 5- kerberos.realm contains ".org" - kerberos.SNameString == "krbtg" |