Kerberos Login Service

Attacking and fixing the Microsoft Windows Kerberos Login Service

We implemented and tested a recent attack tecnique, also called “pass-the-ticket”, on various real Kerberos implementations. The attack allows a malicious user to physically login on a target host in a Kerberos-based network, under the assumption that he knows a valid user principal and has the ability to manipulate network traffic. Our research shows that all recent versions of the Microsoft Windows operating systems are vulnerable to the attack.

We discuss here some of the most known kerberos weaknesses, and give a detailed description of the pass-the-ticket tecnique, with a possible fix (already successfully implemented in the MIT Kerberos software).  The simple tool used to reproduce two of the described tecniques is also included below (requires Python + Scapy)

Passtkt-paper

Krb5Crypto-0.4.tar

Little library needed to bind some Kerberos API functions to python

kdcreplay-08062010.tar

The tool which reproduces the KDC spoofing and “Pass-the-ticket” attacks

Links to the original papers describing the vulnerability, by E. Bouillon:

BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf
PacSec08_Bouillon.ppt

08-18-2010 UPDATE:

Google Docs mirror for everything: Paper, kdcreplay, Krb5Crypto

10-27-2010 UPDATE:

kdcreplay.py revision, with a more exhaustive readme (you’d better read it): kdcreplay

also Google Docs mirror here: kdcreplay