Question about FAST

[kristian]

On Sab, 26/6/10, Greg Hudson <ghudson at MIT.EDU> wrote:

> I haven't personally tried to do this, so I'm not sure why John the
> Ripper wouldn't be working.  Note that if your user principals require
> preauth, you'd want to attack the second AS-REQ or second AS-REP; if
> they don't require preauth, you'd want to attack the first AS-REP.

I have asked the developer of Kerberos, and the author of krb5 cracker code said that the code is unlikely to work for most current deployments of Kerberos 
Is there any idea of how to prove the vulberability of Kerberos without pre-authentication and using dictionary attack password guessing ?

> On the client side, the application must supply an armor ccache in order
> to use FAST.  This will likely change when we support anonymous pkinit
> armor, but for the moment the only way to productively use FAST is with
> an existing ccache--ideally one obtained using a strong key, such as the
> host key.  (Any ccache containing a TGT can be used, however.)  For
> one-off testing, the easiest way to observe FAST is with kinit's -T
> flag, passing it the name of an existing ccache.

How I get the existing ccache actually ? Do I have to create the ccache manually, or I use kinit to get the ccache from KDC ( it means I don't use pre-authentication to get the ccache first) or I use a not existing ccache file ?
I have try a successfully one, but I forget how to use it.

> If you're adventurous enough to use trunk code (the stuff destined to
> become krb5 1.9), you can use KRB5_TRACE to get a little insight into
> what's going on

Were I can get the file KRB5_TRACE to be compiled and used ?

Thank you for the answer of my many questions