Hello, I am working on an Ethereal dissector for the NTLMSSP v1 protocol to allow decryption of DCE/RPC traffic if the user provides a password. So far, I am able to create the SSP key properly (based on the challenge and the LM hash), and am able to decrypt the first packet in the stream.
Here's the problem. Can anyone provide any info on how the RC4 state table is managed between packets? I assume that the state is maintained between packets. Are separate state tables maintained for each traffic direction (c->s versus s->c)? Does it re-initialize the state on every packet? Does the peer use the same table for both encryption and decryption? The first packet in the message gets properly decrypted, but all subsequent packets fail. Any info that can be provided on how RC4 state is managed would be quite helpful. Thanks in advance. -- Devin Heitmueller Senior Software Engineer Netilla Networks Inc
