Re: kerberos!
From: David Ruschinek (drusho_at_GMAIL.COM)
Date: 09/08/04
- Previous message: Russ Cooper: "MinorRev: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"
- In reply to: Besirevic, Nesha: "kerberos!"
- Next in thread: Thor: "Re: kerberos!"
- Reply: Thor: "Re: kerberos!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 8 Sep 2004 13:09:21 +0300 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
This is the way is has been, and will continue to be.
The Authentication used over netbios/SMB/CIFS connections (at least in
win2003 and winXPPro) is IWA (Integrated Windows Authentication).
IWA is a mixture of several protocol where the strongest is attempted
first and then the weaker one. IWA uses Kerberos 5, Kerberos 4,
NTLMv3, NTLMv2 and Lan Manager (LM).
This is some the problems with IWA Authentication:
1. Fall back to weaker protocols
2. NTLM version backwards compatiblity
3. Pasword hash is consistent (it is still better than basic though)
4. Domain of remote machine can be sniffed
1. Fall back to weaker protocols
This means that when the authentication fails with a strong protocol
(Kerberos) a weaker protocol (NTLM) is attempted.
2. NTLM version backwards compatiblity
NTLM has had several versions Windows 2003, XP and 2000 use version 3,
Windows NT used version 2.
Occassionally I found on Windows 2000 SP2 server DC and windows
2000 pro SP2 clients (not domain members, and with a different
workgroup name). I have not researched the latest SPs. that when I
try to access a machine I get and Access denied and then on a second
attempt I will get through. I believed this phenomenon the backwards
compatibility as it went from NTLMv3 to NTLMv2. If I ever get the time
I will research it.
2. Password HASH is consistent
One of known issues with NTLM v2 was the 7 character hash. (every 7
characters is hashed with the same algorithm)
NTLM v2 would only process the first 2 blocks of 7 characters, this if
two passwords have Identical characters for the first 14 digits they
were the same password.
There is a popular password cracker called L0phtcrack:
http://www.atstake.com/products/lc/
in NTLMv3 the Password hash is still consistent.
About 1 year ago some professors built a machine to crack NTLMv2 and
v3 using password hash tables. I cannot find a link right now
This article from security focus goes into more details, on the password hash
http://www.securityfocus.com/infocus/1554
3. Domain of remote machine can be sniffed
One of the requirements for NTLMv3 and Kerberos is the domain for
authentication.
This can be sniffed (Network Monitor or Ethereal).
David Ruschinek
On Thu, 2 Sep 2004 16:25:00 +0200, Besirevic, Nesha
<nesha.besirevic@scala.net> wrote:
> Hi,
>
> Another joke from MS....
>
> Scenario:
>
> Two ADs (SBS 2003 - win2003 native mode and 2003 AD - win2000 native mode,
> no trust btw, they are simply using sam IP addresses range)
>
> Administrator account has same password on both ADs.
>
> Without any additional authentication you can easily map Admin Share (C$
> for example) from one AD DC to another being logged on as Administrator.
>
> I thought we passed this kind of traps with KERBEROS!!!!
>
> Can anybody confirm this!!!!
>
> Thanks in advance
>
> Nesha Besirevic
> Technical Consultant\iScalaCRM
> <http://www.epicor.com/> www.epicor.com
> Tel.: +361 452-7689
> Cell: +3630 996-3238
> Fax: +361 452-7501
> E-Mail: nbesirevic@epicor.com <mailto:nbesirevic@epicor.com>
> <file:///C:/Documents%20and%20Settings/Nesha.Besirevic/Local%20Settings/Temp
> /(EmptyReference!)>
>
> This e-mail is for the use of the intended recipient(s) only. If you have
> received this e-mail in error, please notify the sender immediately and then
> delete it. If you are not the intended recipient, you must not use, disclose
> or distribute this e-mail without the author's prior permission. We have
> taken precautions to minimize the risk of transmitting software viruses, but
> we advise you to carry out your own virus checks on any attachment to this
> message. We cannot accept liability for any loss or damage caused by
> software viruses.
>
> -----
> NTBugtraq Editor's Note:
>
> Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
> -----
>
-- David Ruschinek ----- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. -----
- Previous message: Russ Cooper: "MinorRev: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"
- In reply to: Besirevic, Nesha: "kerberos!"
- Next in thread: Thor: "Re: kerberos!"
- Reply: Thor: "Re: kerberos!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
