Kerberos Password Sniffing
Jacques A. Vidrine
nectar at celabo.org
Sun Dec 1 11:39:05 EST 2002
On Sat, Nov 30, 2002 at 08:24:55PM -0800, Russ Allbery wrote:
> Paul Vixie <vixie at as.vix.com> writes:
>
> > is there a "crack" module for kerberos? after reading the stanford
> > paper about how kerberos tickets could be attacked offline, i've been
> > wanting to actually try this -- no sniffing is required -- against my
> > own kerberos db to look for easy to guess passwords.
>
> Note that the findings of that paper only apply if you use Kerberos v4 or
> don't have preauth turned on. If you're using Kerberos v5 with preauth
> turned on for all users, you cannot launch that style of off-line attack.
If you can sniff the network, you can collect the preauthentication
data and/or the AS-REP and use that ciphertext to launch an off-line
attack quite easily. There is also a third method of collecting such
data if you have a valid principal and password in the target realm, for
which you need not even have the capability of sniffing the network.
> I know that Jack the Ripper has code available to work against an AFS
> kaserver database, but I don't know about Kerberos v5.
It is trivial to write additional code for Jack the Ripper to crack
Kerberos 5 passwords (either from a KDC database or collected as
mentioned above) --- less than two hours work.
> We link cracklib
> along with additional fascist rules into our kadmind and basically try to
> "pre-crack" passwords whenever anyone changes them.
Good idea.
Cheers,
--
Jacques A. Vidrine <nectar at celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
More information about the Kerberos
mailing list