Secgroup Ca' Foscari DSI > Projects > Kerberos

Kerberos

Attacking and fixing the Microsoft Windows Kerberos Login Service

We implemented and tested a recent attack tecnique, also called “pass-the-ticket”, on various real Kerberos implementations. The attack allows a malicious user to physically login on a target host in a Kerberos-based network, under the assumption that he knows a valid user principal and has the ability to manipulate network traffic. Our research shows that all recent versions of the Microsoft Windows operating systems are vulnerable to the attack.

We discuss here some of the most known kerberos weaknesses, and give a detailed description of the pass-the-ticket tecnique, with a possible fix (already successfully implemented in the MIT Kerberos software).  The simple tool used to reproduce two of the described tecniques is also included below (requires Python + Scapy)

Passtkt-paper

Krb5Crypto-0.4.tar

Little library needed to bind some Kerberos API functions to python

kdcreplay-08062010.tar

The tool which reproduces the KDC spoofing and “Pass-the-ticket” attacks

Links to the original papers describing the vulnerability, by E. Bouillon:

BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf
PacSec08_Bouillon.ppt

08-18-2010 UPDATE:

Google Docs mirror for everything: Paper, kdcreplay, Krb5Crypto

10-27-2010 UPDATE:

kdcreplay.py revision, with a more exhaustive readme (you’d better read it): kdcreplay

also Google Docs mirror here: kdcreplay

Comments: 6

Leave a reply »

 
“Pass-The-Ticket” | Memory H0le
August 13th, 2010 at 13:27

[...] http://secgroup.ext.dsi.unive.it/kerberos/ [...]

Tweets that mention Secgroup Ca' Foscari DSI » Kerberos -- Topsy.com
August 13th, 2010 at 14:06

[...] This post was mentioned on Twitter by Popotxo, Miguel Gesteiro and Miguel Gesteiro, RoMaNSoFt ☠. RoMaNSoFt ☠ said: "Pass-the-ticket" new attack: paper, tool & ppt. http://bit.ly/cP5q1L . Performs MITM between attacked server and Kerberos one [...]

Secgroup Ca' Foscari DSI » “Pass-The-Ticket”
August 14th, 2010 at 20:58

[...] Kerberos Search [...]

BITLOG infotech hírek » Helyi Kerberos megkerülés Windows-on
August 17th, 2010 at 15:23

[...] tartozott, így külön örömömre szolgál, hogy a velencei Ca’Foscari Egyetem kutatói hibát találtak a windowsos megvalósítás helyi bejelentkeztetést végző változatában, így bemutathatom [...]

.:[ d4 n3wS ]:. » Blog Archive » Windows Kerberos Authentication Bypass
August 25th, 2010 at 05:26

[...] Origine de l’article : http://secgroup.ext.dsi.unive.it/kerberos/ [...]

Secgroup Ca' Foscari DSI » Lunch Seminar: Attacking and fixing the Microsoft Windows Kerberos login service
October 26th, 2010 at 11:00

[...] Friday 29 October, at 13:00, Tommaso will give a seminar describing the vulnerability we have found on the Windows systems implementation of the Kerberos login service. More information and full paper can be found here. [...]

Leave a Reply

 
(will not be published)
 
 
Comment