Kerberos Password Sniffing
John Hascall
john at iastate.edu
Sat Nov 30 21:52:14 EST 2002
> I just received an e-mail from NTBUGTRAQ regarding a utility someone wrote
> which will sniff out Kerberos passwords on-the-wire and crack them using a
> standard dictionary crack. Here's the URL
> http://ntsecurity.nu/toolbox/kerbcrack/. I'm not sure if it works, as I have
> not tried it. I'm still having trouble wrapping my head around the idea
> since the password, not even a hashed version of the password, is never sent
> across the wire during a Kerberos authentication request. I could be
> wrong..I'll have to look it up. I'm just having trouble figuring this out
> his since Kerberos was created to prevent password sniffing.
A Kerberos ticket is essentially "stuff" encrypted by a key
For the "TGT" ticket (i.e. for "login") the key is a function
of your password.
key
So, if {stuff} comes across the wire, and if the evil
cracker has a whole bunch of keys derived from common password
choices then they just try all those keys in turn until they
get one that "fits the lock" and returns "stuff".
This is why good password choice is *critical*. If my password
is "hello" then I will be cracked by this process in short
order. If my password is "Op+f at 1btsIstd" it is extremely unlikely
this is one of the keys they have to try so I am safe.
John
More information about the Kerberos
mailing list