man in the middle on MIT kerberos

Sam Hartman hartmans at MIT.EDU
Fri Feb 27 14:07:56 EST 2009

>>>>> "Nikhil" == Nikhil Mishra <nikhilm at> writes:

    Nikhil> Hi All , I have been trying to do this for a long time but
    Nikhil> to no rescue and so I will put it simply now.
    Nikhil> Is it possible to create a man in the middle in a kerberos
    Nikhil> environment , If I own admin privileges in all components
    Nikhil> of the traffic i.e ( windows KDC , windows based
    Nikhil> application , windows based client ) ?


I think what you want to do is figure out how to extract (or set
yourselfL) the password for the windows service in AD and then use
ktutil to construct the keytab.  ktpass seems to hurt people more than
it helps.

I don't know enough about AD internals to know how you should extract
the password.  I'll also note that you need to be aware of the concern
that Jeff Altman raised: the password will periodically be updated and
you'll have to deal with that.


More information about the krbdev mailing list