Attacking and fixing the Microsoft Windows Kerberos Login Service
We implemented and tested a recent attack tecnique, also called “pass-the-ticket”, on various real Kerberos implementations. The attack allows a malicious user to physically login on a target host in a Kerberos-based network, under the assumption that he knows a valid user principal and has the ability to manipulate network traffic. Our research shows that all recent versions of the Microsoft Windows operating systems are vulnerable to the attack.
We discuss here some of the most known kerberos weaknesses, and give a detailed description of the pass-the-ticket tecnique, with a possible fix (already successfully implemented in the MIT Kerberos software). The simple tool used to reproduce two of the described tecniques is also included below (requires Python + Scapy)
Little library needed to bind some Kerberos API functions to python
The tool which reproduces the KDC spoofing and “Pass-the-ticket” attacks
Links to the original papers describing the vulnerability, by E. Bouillon:
kdcreplay.py revision, with a more exhaustive readme (you’d better read it): kdcreplay
also Google Docs mirror here: kdcreplay