Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: kerberos!

from [David Ruschinek] Network Security [Permanent Link]
Subject: Re: kerberos!
Date: Wed, 8 Sep 2004 13:09:21 +0300 
This is the way is has been, and will continue to be.

The Authentication used over netbios/SMB/CIFS connections (at least in
win2003 and winXPPro) is IWA (Integrated Windows Authentication).
IWA is a mixture of several protocol where the strongest is attempted
first and then the weaker one. IWA uses Kerberos 5, Kerberos 4,
NTLMv3, NTLMv2 and Lan Manager (LM).

This is some the problems with IWA Authentication:
   1. Fall back to weaker protocols
   2. NTLM version backwards compatiblity
   3. Pasword hash is consistent (it is still better than basic though)
   4. Domain of remote machine can be sniffed

1. Fall back to weaker protocols
This means that when the authentication fails with a strong protocol
(Kerberos) a weaker protocol (NTLM) is attempted.

2. NTLM version backwards compatiblity
   NTLM has had several versions Windows 2003, XP and 2000 use version 3,
   Windows NT used version 2.
   Occassionally I found on Windows 2000 SP2 server DC and windows
2000 pro SP2 clients (not domain members, and with a different
workgroup name). I have not researched the latest SPs.  that when I
try to access a machine I get and Access denied and then on a second
attempt I will get through. I believed this phenomenon the backwards
compatibility as it went from NTLMv3 to NTLMv2. If I ever get the time
I will research it.

2. Password HASH is consistent
One of known issues with NTLM v2 was the 7 character hash. (every 7
characters is hashed with the same algorithm)
NTLM v2 would only process the first 2 blocks of 7 characters, this if
two passwords have Identical characters for the first 14 digits they
were the same password.
There is a popular password cracker called L0phtcrack:
http://www.atstake.com/products/lc/
in NTLMv3 the Password hash is still consistent.
About 1 year ago some professors built a machine to crack NTLMv2 and
v3 using password hash tables. I cannot find a link right now

This article from security focus goes into more details, on the password hash
http://www.securityfocus.com/infocus/1554

3. Domain of remote machine can be sniffed
One of the requirements for NTLMv3 and Kerberos is the domain for
authentication.
This can be sniffed (Network Monitor or Ethereal).

David Ruschinek


On Thu, 2 Sep 2004 16:25:00 +0200, Besirevic, Nesha
<nesha.besirevic@scala.net> wrote:

Hi,

Another joke from MS....

Scenario:

Two ADs (SBS 2003 - win2003 native mode and 2003 AD - win2000 native mode,
no trust btw, they are simply using sam IP addresses range)

Administrator account has same password on both ADs.

Without any additional authentication you can easily map Admin Share (C$
for example) from one AD DC to another being logged on as Administrator.

I thought we passed this kind of traps with KERBEROS!!!!

Can anybody confirm this!!!!

Thanks in advance

Nesha Besirevic
Technical Consultant\iScalaCRM
<http://www.epicor.com/> www.epicor.com
Tel.: +361 452-7689
Cell: +3630 996-3238
Fax: +361 452-7501
E-Mail: nbesirevic@epicor.com <mailto:nbesirevic@epicor.com>
<file:///C:/Documents%20and%20Settings/Nesha.Besirevic/Local%20Settings/Temp
/(EmptyReference!)>

This e-mail is for the use of the intended recipient(s) only. If you have
received this e-mail in error, please notify the sender immediately and then
delete it. If you are not the intended recipient, you must not use, disclose
or distribute this e-mail without the author's prior permission. We have
taken precautions to minimize the risk of transmitting software viruses, but
we advise you to carry out your own virus checks on any attachment to this
message. We cannot accept liability for any loss or damage caused by
software viruses.

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured 
such that just hitting reply is going to result in the message coming to the 
list, not to the individual who sent the message. This was done to help 
reduce the number of Out of Office messages posters received. So if you want 
to send a reply just to the poster, you'll have to copy their email address 
out of the message and place it in your TO: field.
-----





--
David Ruschinek

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MinorRev: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987), Russ Cooper
Next by Date:  Re: kerberos!, J. Merrill
Previous by Thread:  Re: kerberos!, Jeffrey Altman
Next by Thread:  Re: kerberos!, Thor
Indexes:  [Date] [Thread] [Top] [All Lists]