SMB Decryption - TryHackMe
Recent TryHackMe room called “Block” inspired me to create this write-up. The task is to decrypt SMB3-encrypted communication. It turned out that sometimes we only need the captured network traffic to fulfill this task, while otherwise we need some additional info, such as user’s password or its NTLM hash. In this blog post, I would like to summarize three different approaches with practical hands-on exercises based on TryHackMe challenge. I will demonstrate methods of SMB decryption with the knowledge of the user’s password, its NTLM hash, and without any password/hash, just from the captured traffic only.