Kerberos Password Sniffing

John Hascall john at
Sat Nov 30 21:52:14 EST 2002

> I just received an e-mail from NTBUGTRAQ regarding a utility someone wrote
> which will sniff out Kerberos passwords on-the-wire and crack them using a
> standard dictionary crack. Here's the URL
> I'm not sure if it works, as I have
> not tried it. I'm still having trouble wrapping my head around the idea
> since the password, not even a hashed version of the password, is never sent
> across the wire during a Kerberos authentication request. I could be
> wrong..I'll have to look it up. I'm just having trouble figuring this out
> his since Kerberos was created to prevent password sniffing.

   A Kerberos ticket is essentially "stuff" encrypted by a key
   For the "TGT" ticket (i.e. for "login") the key is a function
   of your password.

   So, if   {stuff}      comes across the wire, and if the evil
   cracker has a whole bunch of keys derived from common password
   choices then they just try all those keys in turn until they
   get one that "fits the lock" and returns "stuff".

   This is why good password choice is *critical*.  If my password
   is "hello" then I will be cracked by this process in short
   order.  If my password is "Op+f at 1btsIstd" it is extremely unlikely
   this is one of the keys they have to try so I am safe.


More information about the Kerberos mailing list