Nmap Development mailing list archives
Re: Kerberos probes for nmap
From: Patrik Karlsson <patrik () labb1 com>
Date: Tue, 22 Dec 2009 08:55:58 +0100
Hi again, I forgot to attach the signatures. Here they are: Heimdal - Linux SF-Port88-UDP:V=5.10BETA1%I=7%D=12/22%Time=4B307A41%P=i386-apple-darwin10.2.0%r(Kerberos,64,"~b0`\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18 SF:\x0f20091222075021Z\xa5\x05\x02\x03\x02\xbc\xda\xa6\x03\x02\x01<\xa9\x0 SF:4\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06krbtgt\x SF:1b\x02NM\xab\x16\x1b\x14No\x20client\x20in\x20request"); AD - Windows SF-Port88-UDP:V=5.10BETA1%I=7%D=12/22%Time=4B3079C6%P=i386-apple-darwin10.2.0%r(Kerberos,4C,"~J0H\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18 SF:\x0f20091222074817Z\xa5\x05\x02\x03\x07A\xc0\xa6\x03\x02\x01D\xa9\x04\x SF:1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\ SF:x02NM"); //Patrik On 22 dec 2009, at 08.01, David Fifield wrote:
On Wed, Dec 16, 2009 at 02:38:30AM +0100, Patrik Karlsson wrote:Here's a modified version of the packet where I have removed the things you mentioned. I have not touched the algorithms, because I'm uncertain which ones to leave. Removing some of them could reduce the footprint size by some 10 bytes or so. I ran the new probe against my Heimdal which got me: SF-Port88-UDP:V=5.10BETA1%I=7%D=12/16%Time=4B283757%P=i386-apple-darwin10.2.0%r(Kerberos,69,"~g0e\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18 SF:\x0f20091216012641Z\xa5\x05\x02\x03\x0e/\xc3\xa6\x03\x02\x01<\xa9\x15\x SF:1b\x13<unspecified\x20realm>\xaa\x0b0\t\xa0\x03\x02\x01\0\xa1\x020\0\xa SF:b\x16\x1b\x14No\x20server\x20in\x20request"); I also tested it against a Windows server and it worked well, even returned the name of the realm. Unfortunately I don't have access to a OS X kerberos server or to MIT Kerberos for additional testing.I just tried the probe against Mac OS X (which I think uses MIT Kerberos) and it didn't get a response. I tried re-added the server name and that got a response. This time the error message returned was NULL_CLIENT instead of CLIENT_NOT_FOUND. Would you see if this probe works for you? I think it's the same as your original except that it uses the 1970-01-01 date and doesn't have a client name. Probe UDP Kerberos q|\x6a\x81\x6e\x30\x81\x6b\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\x0a\xa4\x81\x5e\x30\x5c\xa0\x07\x03\x05\0\x50\x80\0\x10\xa2\x04\x1b\x02NM\xa3\x17\x30\x15\xa0\x03\x02\x01\0\xa1\x0e\x30\x0c\x1b\x06krbtgt\x1b\x02NM\xa5\x11\x18\x0f19700101000000Z\xa7\x06\x02\x04\x1f\x1e\xb9\xd9\xa8\x17\x30\x15\x02\x01\x12\x02\x01\x11\x02\x01\x10\x02\x01\x17\x02\x01\x01\x02\x01\x03\x02\x01\x02| Here's the response I get: SF-Port88-UDP:V=5.10BETA1%I=2%D=12/21%Time=4B306D97%P=i686-pc-linux-gnu%r( SF:Kerberos,6F,"~m0k\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa2\x11\x18\x SF:0f19860718214913Z\xa4\x11\x18\x0f20091222065618Z\xa5\x05\x02\x03\x03G\x SF:e7\xa6\x03\x02\x01\x06\xa9\x04\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0 SF:\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\x02NM\xab\x0e\x1b\x0cNULL_CLIENT\0"); User Datagram Protocol, Src Port: kerberos (88), Dst Port: 46208 (46208) Kerberos KRB-ERROR Pvno: 5 MSG Type: KRB-ERROR (30) ctime: 1986-07-18 21:49:13 (UTC) stime: 2009-12-22 06:56:18 (UTC) susec: 215015 error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6) Realm: NM Server Name (Unknown): krbtgt/NM e-text: NULL_CLIENT Also, what tool are you using to make these packets? I was able to add the server name by hand but it's tricky to keep all the ASN.1 length values updated. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Patrik Karlsson http://www.cqure.net _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Kerberos probes for nmap Patrik Karlsson (Nov 28)
- Re: Kerberos probes for nmap David Fifield (Dec 12)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 12)
- Re: Kerberos probes for nmap David Fifield (Dec 15)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 15)
- Re: Kerberos probes for nmap David Fifield (Dec 21)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 21)
- Re: Kerberos probes for nmap David Fifield (Dec 22)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 28)
- kerberos-get-realm.nse David Fifield (Dec 31)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 15)
- Re: Kerberos probes for nmap David Fifield (Dec 12)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 21)