Security Basics mailing list archives

RE: Threat vector of running a service using a domain account

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 14 Sep 2007 15:05:56 -0400

Actually, Kerberos pre-authentication, where the user or computer
successfully authenticates initially, does send an NT password hash. If
you can capture the pre-authentication traffic, you can capture the
hash. But it's an NT hash and very resistant to hacking.  After that,
for the next 10 hours by default (and in practice much longer), the
password hash is never sent again. 

That's the beauty of Kerberos, after the initial auth, the password hash
is not sent again for 10+ hours, so besides that one instance, there is
never a chance for hash capture. And even if you do capture the pre-auth
hash, it's an NT hash, and it will only break if it is short and weak.

This of course, is how Microsoft Kerberos works. I'm not sure about MIT,
since they don't use machine account password hash

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger () banneretcs com or rogrim () microsoft com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ali, Saqib
Sent: Friday, September 14, 2007 10:32 AM
To: Ramsdell, Scott
Cc: Jay; smanaois3 () gmail com; security-basics () securityfocus com
Subject: Re: Threat vector of running a service using a domain account

If you had the machine offline and patched it into a hub with another 
box running Wireshark or Ettercap (or other) and restarted the 
service, I wonder if you could crack the captured hash?  You'd at 
least have a DA account's hash for replay.


I don't think password hashes are floating around on the network in a
kerberos enabled Active Directory. Kerberos tickets are issued to the
servers.

Current thread:

Re: Re: Threat vector of running a service using a domain account, (continued)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
    - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
    - RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
    - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
    - RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- RE: Threat vector of running a service using a domain account Jay (Sep 14)
  - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
    - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 14)
    - RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
  - RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)