pull down to refresh

Linked blog post describes several methods and examples how to decrypt SMB traffic in Wireshark or how to use Wireshark/tshark to extract the values needed to crack the user password with hashcat.
If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password. The attacker is able to extract challenge/response values from the Session Setup and then use password cracking tools such as hashcat.
If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption.
For more details and practical examples, please see the linked blog post.