pcap_llmnr_ntlm
Analyze PCAP files to detect LLMNR poisoning attacks and extract NTLM credentials from SMB traffic for network security investigations.
Instructions
Detect LLMNR poisoning and extract NTLM credentials from SMB. Returns llmnr_queries, ntlm_auth_entries, counts, and poisoning_indicators. Read-only file analysis.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| pcap_path | Yes | Path to the PCAP file |
Implementation Reference
- src/tools/pcap.ts:290-335 (handler)Implementation of the pcap_llmnr_ntlm tool, which uses tshark to analyze a PCAP file for LLMNR queries and NTLM authentication entries to detect potential poisoning.
server.tool( "pcap_llmnr_ntlm", "Detect LLMNR poisoning and extract NTLM credentials from SMB. Returns llmnr_queries, ntlm_auth_entries, counts, and poisoning_indicators. Read-only file analysis.", { pcap_path: z.string().describe("Path to the PCAP file"), }, async ({ pcap_path }) => { requireTool("tshark"); const pcap = validatePcap(pcap_path); const llmnr = await runCmd("tshark", [ "-r", pcap, "-Y", "udp.port == 5355", "-T", "fields", "-e", "ip.src", "-e", "ip.dst", "-e", "llmnr.query_name", ]); const ntlm = await runCmd("tshark", [ "-r", pcap, "-Y", "ntlmssp.auth", "-T", "fields", "-e", "ip.src", "-e", "ip.dst", "-e", "ntlmssp.auth.username", "-e", "ntlmssp.auth.domain", "-e", "ntlmssp.auth.hostname", ]); const llmnrLines = parseLines(llmnr.stdout); const ntlmLines = parseLines(ntlm.stdout); // Detect poisoning: multiple responders for the same LLMNR query const poisoning = llmnrLines.length > 2; const result = { llmnr_queries: llmnrLines.slice(0, 50), ntlm_auth_entries: ntlmLines.slice(0, 50), llmnr_count: llmnrLines.length, ntlm_count: ntlmLines.length, poisoning_indicators: poisoning, }; return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] }; }