Dictionary/brute-force attack against "kerberized" IIS service accounts without triggering account lockout

["Ben Lincoln (F7EFC8C9 - FD)" <F7EFC8C9 () beneaththewaves net>]

Not sure if this is old news by now, but I haven't seen it mentioned 
anywhere.

I was writing some walkthroughs for the alpha version of Mimikatz 2.0, 
and realized that since the "Silver Ticket" functionality involves one 
of the Windows kerberos ticket encryption keys being the NTLM hash of 
the account which receives the kerberos ticket, it's possible to use it 
to check passwords for IIS application pool service accounts (if 
kerberos auth is used, of course), and this does not trigger an account 
lockout regardless of the number of attempts - at least not on Server 
2012 RTM with the default settings (no "enhanced protection", etc.).

http://www.beneaththewaves.net/Projects/Mimikatz_20_-_Brute-Forcing_Service_Account_Passwords.html

Apologies in advance if this has already been discussed. This is 
definitely a POC-grade tool - I do not have the C/C++ skills to modify 
Mimikatz sufficiently to make this particular attack production-quality.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/