NTLM Security Support Provider

NTLMSSP is a Microsoft protocol for authentication using the NTLM protocol.

Open specification: [MS-NLMP]

"NT Password" setting allowing decryption

The "NT Password" setting can contain a password used to decrypt NTLM exchanges: both the NTLM challenge/response and further protocol payloads (like DCE/RPC that may be encrypted with keys derived from the NTLM authentication.

Just input the user's password in the field. According to the source-code, only ASCII passwords are supported (due to the simple method for Unicode encoding). It doesn't seem to support NTLM hashes so make sure to use the cleartext password.

Here's how the NTLM authentication at the beginning of a DRSUAPI (DCE/RPC) session looks like before providing the password:

before_nt_passwordAnd after providing the password, notice the additional info highlighted in blue:

after_nt_password

Then, before providing the password, the DsGetDomainControllerInfo request payload is not readable since it's "encrypted stub data":

encrypted_stub

But after providing the password, it becomes "decrypted stub data" (even though it seems invalid so there's potentially a bug):

decrypted_stub