Security Basics mailing list archives
RE: Threat vector of running a service using a domain account
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 14 Sep 2007 15:05:56 -0400
Actually, Kerberos pre-authentication, where the user or computer successfully authenticates initially, does send an NT password hash. If you can capture the pre-authentication traffic, you can capture the hash. But it's an NT hash and very resistant to hacking. After that, for the next 10 hours by default (and in practice much longer), the password hash is never sent again. That's the beauty of Kerberos, after the initial auth, the password hash is not sent again for 10+ hours, so besides that one instance, there is never a chance for hash capture. And even if you do capture the pre-auth hash, it's an NT hash, and it will only break if it is short and weak. This of course, is how Microsoft Kerberos works. I'm not sure about MIT, since they don't use machine account password hash Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada... *email: roger () banneretcs com or rogrim () microsoft com *Author of Windows Vista Security: Security Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ******************************************************************* -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ali, Saqib Sent: Friday, September 14, 2007 10:32 AM To: Ramsdell, Scott Cc: Jay; smanaois3 () gmail com; security-basics () securityfocus com Subject: Re: Threat vector of running a service using a domain account
If you had the machine offline and patched it into a hub with another box running Wireshark or Ettercap (or other) and restarted the service, I wonder if you could crack the captured hash? You'd at least have a DA account's hash for replay.
I don't think password hashes are floating around on the network in a kerberos enabled Active Directory. Kerberos tickets are issued to the servers.
Current thread:
- Re: Re: Threat vector of running a service using a domain account, (continued)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)