|
Posted by S. Pidgorny on April 21, 2007, 5:52 am
Please log in for more thread options Thanks... Can you please elaborate on "retrieve the clear text ticket,
change the ticket to what you need for an exploit and then re-present the
ticket to the server"?
Guess I'm looking at what exactly is in the ticket, and how that is
exploitable.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
>> Most integration guides recommend using DES encryption for Kerberos
>> tickets
>> in UNIX/Linux interoperability scenarios.
>>
>> I wonder what is the risk. It can be brute forced; probably even in the
>> lifetime of the ticket. But I'm not familiar with Kerberos specification
>> good enough to identify what the potential exposure will be.
>>
>> Opinions appreciated.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
> You are correct in the risk. Service tickets are encrypted with the
> DES key, so one approach would be to crack the key, retrieve the clear
> text ticket, change the ticket to what you need for an exploit and
> then re-present the ticket to the server. I think the same could be
> done for the TGT, but I'm not as sure. If you accomplish the brute
> force, then I don't think you would be restricted to the ticket
> lifetime, you could simply change the lifetime.
>
> I think most Linux/UNIX platforms now support something better then
> DES such as 3DES or AES. I'd recommend using it if available and
> getting an add-on if not.
>
> HTH,
> Dave
>
| 
XML Sitemap