Secgroup Ca' Foscari DSI > Projects > Kerberos Login Service

Kerberos Login Service

Attacking and fixing the Microsoft Windows Kerberos Login Service

We implemented and tested a recent attack tecnique, also called “pass-the-ticket”, on various real Kerberos implementations. The attack allows a malicious user to physically login on a target host in a Kerberos-based network, under the assumption that he knows a valid user principal and has the ability to manipulate network traffic. Our research shows that all recent versions of the Microsoft Windows operating systems are vulnerable to the attack.

We discuss here some of the most known kerberos weaknesses, and give a detailed description of the pass-the-ticket tecnique, with a possible fix (already successfully implemented in the MIT Kerberos software).  The simple tool used to reproduce two of the described tecniques is also included below (requires Python + Scapy)



Little library needed to bind some Kerberos API functions to python


The tool which reproduces the KDC spoofing and “Pass-the-ticket” attacks

Links to the original papers describing the vulnerability, by E. Bouillon:


08-18-2010 UPDATE:

Google Docs mirror for everything: Paper, kdcreplay, Krb5Crypto

10-27-2010 UPDATE: revision, with a more exhaustive readme (you’d better read it): kdcreplay

also Google Docs mirror here: kdcreplay

Comments: 6

Leave a reply »


[…] This post was mentioned on Twitter by Popotxo, Miguel Gesteiro and Miguel Gesteiro, RoMaNSoFt ☠. RoMaNSoFt ☠ said: "Pass-the-ticket" new attack: paper, tool & ppt. . Performs MITM between attacked server and Kerberos one […]

[…] tartozott, így külön örömömre szolgál, hogy a velencei Ca’Foscari Egyetem kutatói hibát találtak a windowsos megvalósítás helyi bejelentkeztetést végző változatában, így bemutathatom […]

[…] Friday 29 October, at 13:00, Tommaso will give a seminar describing the vulnerability we have found on the Windows systems implementation of the Kerberos login service. More information and full paper can be found here. […]

Leave a Reply

(will not be published)