Nmap Development mailing list archives
Re: kerberos-get-realm.nse
From: Patrik Karlsson <patrik () labb1 com>
Date: Wed, 6 Jan 2010 23:34:16 +0100
On 6 jan 2010, at 23.14, David Fifield wrote:
On Fri, Jan 01, 2010 at 12:21:00PM +0100, Patrik Karlsson wrote:Please see my comments inline. I have attached the latest version (0.2) of the script. On 1 jan 2010, at 04.41, David Fifield wrote:On Mon, Dec 28, 2009 at 05:28:43PM +0100, Patrik Karlsson wrote:On 22 dec 2009, at 17.50, David Fifield wrote:It's a pity we can't use the probe that makes Windows disclose the realm. Out of curiosity, what were the contents of the reply? Maybe it can be made into an NSE script.Here's a first attempt on that script. It tries to retrieve both the realm and the server time from the error message. I have tested it against W2K3 where it retrieves both and against Heimdal on Linux where it only extracts the time. The script name may be slightly misleading, but getting the realm name is what I initially wanted to do. As always, comments, suggestions and bug reports are welcome.It looks good. It's too bad it only works on Windows as far as we know so far.I agree, maybe some more fiddling with the request may reveal differently, but as for now it's Windows only.Getting the date is a nice thing, but service detection should already do that. One thing you could do is print out the deviation from local time like http-date does: PORT STATE SERVICE 80/tcp open http |_http-date: Sat, 21 Nov 2009 21:08:31 GMT; -40d6h32m17s from local time. Feel free to factor out that time difference–formatting code from http-date.I have added this to version 0.2 attached to this e-mail.I tried to test this but I couldn't figure out how to activate a Kerberos server on Windows XP. Do you have to have a server edition or something?You need a Windows server running as a DC. I have been testing it against a Windows 2003 server. I would be interested in the results of this script run against a Windows 2008 DC.You need to document the meaning of the 0xa9 byte in extract_kerberos_realm.I'm not certain about the meaning of this byte, but as far as I can tell it always occurs 2 bytes before the ASN.1 type tag of the realm.Thanks for making those changes. I decided to move the format_difftime function into the stdnse module so it doesn't have to be duplicated. I saw this article: http://support.microsoft.com/?kbid=248807 It says: "All Windows 2000 domains are also Kerberos realms. However the realm name is always the all uppercase version of the domain name. There is no way to have a Kerberos realm name that is different from the domain name." It also says: "Because the Windows 2000 domain name is also a DNS domain name, the Kerberos realm name for the Windows 2000 domain name is always in uppercase letters." If it's the case that the Windows Kerberos realm name is always the same as the DNS name, then I don't think we should include the script. However, if the realm name might be different than the DNS name, or if it might reflect an internal name that's different than an external one, then we should include it. Do you know whether it's possible for the Windows domain name to be different than the DNS name, or the Kerberos realm name to be different than the Windows domain name, and on what versions of Windows? If the name can differ and we include the script, then I would want to rename it to reflect the limited targets against which it works, something like kerberos-win-realm. I tried it against Mac OS X Kerberos and the remote side just FINs the connection. David Fifield
I'm uncertain about whether the discrepancies you describe can occur. If they can, they should be pretty rare. Let's drop the script until someone figures out if other Kerberos implementation may leak the realm to. //Patrik -- Patrik Karlsson http://www.cqure.net _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: kerberos-get-realm.nse David Fifield (Jan 06)
- Re: kerberos-get-realm.nse Patrik Karlsson (Jan 06)