Nmap Development mailing list archives
Re: Kerberos probes for nmap
From: Matt Selsky <selsky () columbia edu>
Date: Sat, 23 Jan 2010 04:38:38 -0500
On Dec 22, 2009, at 11:50 AM, David Fifield wrote:
On Tue, Dec 22, 2009 at 08:40:13AM +0100, Patrik Karlsson wrote:Heimdal now returns an error "No client in request" while Windows is saying KDC_ERR_WRONG_REALM. When building my KrbGuess tool, that guesses valid usernames against a Kerberos server, I had to look into the details of the Kerberos protocol. I wrote some code that builds Kerberos packets, that unfortunately doesn't handle removing the stuff I have done now. So I have done it all by hand too.I've committed the new probe. Good job! I think we have a solid probe and match lines now. It's even possible to extract the server's clock setting from the error reply. It's a pity we can't use the probe that makes Windows disclose the realm. Out of curiosity, what were the contents of the reply? Maybe it can be made into an NSE script.
Mac OS X is too specific for this match. I tested several different MIT KDC's (not on OSX) and they all returned similar results. I was able to test MIT krb5 1.2.8, 1.3.5, 1.5.4, 1.6.3, and 1.7. (OSX 10.6.2 ships with a pre-release version of 1.7) Versions 1.3 and higher have an e-text error of "NULL_CLIENT", while 1.2 has an e-text of "Client not found in Kerberos database". I don't have access to 1.0 or 1.1 to see what they do. Attached patch implements this. The recent additional OSX Kerberos match line may also be more appropriate as an MIT Kerberos match line. -- Matt
Attachment:
krb5.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Kerberos probes for nmap Matt Selsky (Jan 23)
- Re: Kerberos probes for nmap David Fifield (Jan 25)
- Re: Kerberos probes for nmap Matt Selsky (Jan 25)
- Re: Kerberos probes for nmap David Fifield (Jan 26)
- Re: Kerberos probes for nmap Matt Selsky (Jan 25)
- Re: Kerberos probes for nmap David Fifield (Jan 25)