Re: kerberos-get-realm.nse

[Patrik Karlsson <patrik () labb1 com>]

On 6 jan 2010, at 23.14, David Fifield wrote:

> On Fri, Jan 01, 2010 at 12:21:00PM +0100, Patrik Karlsson wrote:
> > Please see my comments inline. I have attached the latest version
> > (0.2) of the script.
> >
> > On 1 jan 2010, at 04.41, David Fifield wrote:
> > > On Mon, Dec 28, 2009 at 05:28:43PM +0100, Patrik Karlsson wrote:
> > > > On 22 dec 2009, at 17.50, David Fifield wrote:
> > > > > It's a pity we can't use the probe that makes Windows disclose the
> > > > > realm. Out of curiosity, what were the contents of the reply? Maybe it
> > > > > can be made into an NSE script.
> > > >
> > > > Here's a first attempt on that script. It tries to retrieve both the
> > > > realm and the server time from the error message. I have tested it
> > > > against W2K3 where it retrieves both and against Heimdal on Linux
> > > > where it only extracts the time.
> > > >
> > > > The script name may be slightly misleading, but getting the realm name
> > > > is what I initially wanted to do. As always, comments, suggestions and
> > > > bug reports are welcome.
> > >
> > > It looks good. It's too bad it only works on Windows as far as we know
> > > so far.
> >
> > I agree, maybe some more fiddling with the request may reveal
> > differently, but as for now it's Windows only. 
> >
> > > Getting the date is a nice thing, but service detection should
> > > already do that. One thing you could do is print out the deviation from
> > > local time like http-date does:
> > >
> > > PORT   STATE SERVICE
> > > 80/tcp open  http
> > > |_http-date: Sat, 21 Nov 2009 21:08:31 GMT; -40d6h32m17s from local time.
> > >
> > > Feel free to factor out that time difference–formatting code from
> > > http-date.
> >
> > I have added this to version 0.2 attached to this e-mail.
> >
> > > I tried to test this but I couldn't figure out how to activate a
> > > Kerberos server on Windows XP. Do you have to have a server edition or
> > > something?
> >
> > You need a Windows server running as a DC. I have been testing it
> > against a Windows 2003 server. I would be interested in the results of
> > this script run against a Windows 2008 DC.
> >
> > > You need to document the meaning of the 0xa9 byte in
> > > extract_kerberos_realm.
> >
> > I'm not certain about the meaning of this byte, but as far as I can
> > tell it always occurs 2 bytes before the ASN.1 type tag of the realm. 
>
> Thanks for making those changes. I decided to move the format_difftime
> function into the stdnse module so it doesn't have to be duplicated.
>
> I saw this article:
>
> http://support.microsoft.com/?kbid=248807
>
> It says: "All Windows 2000 domains are also Kerberos realms. However the
> realm name is always the all uppercase version of the domain name. There
> is no way to have a Kerberos realm name that is different from the
> domain name."
>
> It also says: "Because the Windows 2000 domain name is also a DNS domain
> name, the Kerberos realm name for the Windows 2000 domain name is always
> in uppercase letters."
>
> If it's the case that the Windows Kerberos realm name is always the same
> as the DNS name, then I don't think we should include the script.
> However, if the realm name might be different than the DNS name, or if
> it might reflect an internal name that's different than an external one,
> then we should include it. Do you know whether it's possible for the
> Windows domain name to be different than the DNS name, or the Kerberos
> realm name to be different than the Windows domain name, and on what
> versions of Windows?
>
> If the name can differ and we include the script, then I would want to
> rename it to reflect the limited targets against which it works,
> something like kerberos-win-realm. I tried it against Mac OS X Kerberos
> and the remote side just FINs the connection.
>
> David Fifield

I'm uncertain about whether the discrepancies you describe can occur. If they can, they should be pretty rare.
Let's drop the script until someone figures out if other Kerberos implementation may leak the realm to.
 
//Patrik
--
Patrik Karlsson
http://www.cqure.net




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/