Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Kerberos probes for nmap

From: Matt Selsky <selsky () columbia edu>
Date: Tue, 26 Jan 2010 02:32:49 -0500

On Jan 25, 2010, at 2:44 PM, David Fifield wrote:


On Sat, Jan 23, 2010 at 04:38:38AM -0500, Matt Selsky wrote:


On Dec 22, 2009, at 11:50 AM, David Fifield wrote:


On Tue, Dec 22, 2009 at 08:40:13AM +0100, Patrik Karlsson wrote:

Heimdal now returns an error "No client in request" while Windows is
saying KDC_ERR_WRONG_REALM.

When building my KrbGuess tool, that guesses valid usernames against a
Kerberos server, I had to look into the details of the Kerberos
protocol. I wrote some code that builds Kerberos packets, that
unfortunately doesn't handle removing the stuff I have done now. So I
have done it all by hand too. 


I've committed the new probe. Good job! I think we have a solid probe
and match lines now. It's even possible to extract the server's clock
setting from the error reply.

It's a pity we can't use the probe that makes Windows disclose the
realm. Out of curiosity, what were the contents of the reply? Maybe it
can be made into an NSE script.


Mac OS X is too specific for this match.  I tested several different
MIT KDC's (not on OSX) and they all returned similar results.  I was
able to test MIT krb5 1.2.8, 1.3.5, 1.5.4, 1.6.3, and 1.7.  (OSX
10.6.2 ships with a pre-release version of 1.7)

Versions 1.3 and higher have an e-text error of "NULL_CLIENT", while
1.2 has an e-text of "Client not found in Kerberos database".


Thanks for the research, Matt. Will you send me the original
fingerprints?


Sure.

MIT krb5 1.2.8:

SF-Port88-UDP:V=5.20%I=7%D=1/26%Time=4B5E8944%P=i386-apple-darwin10.2.0%
SF:r(Kerberos,8B,"~\x81\x880\x81\x85\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x
SF:1e\xa2\x11\x18\x0f19860718214913Z\xa4\x11\x18\x0f20100126061839Z\xa5\x0
SF:5\x02\x03\x01d7\xa6\x03\x02\x01\x06\xa9\x04\x1b\x02NM\xaa\x170\x15\xa0\
SF:x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\x02NM\xab\(\x1b&Client\x20
SF:not\x20found\x20in\x20Kerberos\x20database\0");

MIT krb5 1.3.5:

SF-Port88-UDP:V=5.20%I=7%D=1/26%Time=4B5E8944%P=i386-apple-darwin10.2.0%
SF:r(Kerberos,6F,"~m0k\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa2\x11\x18
SF:\x0f19860718214913Z\xa4\x11\x18\x0f20100126061839Z\xa5\x05\x02\x03\x01\
SF:x97/\xa6\x03\x02\x01\x06\xa9\x04\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01
SF:\0\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\x02NM\xab\x0e\x1b\x0cNULL_CLIENT\0");

MIT krb5 1.6.3:

SF-Port88-UDP:V=5.20%I=7%D=1/26%Time=4B5E8900%P=i386-apple-darwin10.2.0%r(
SF:Kerberos,6F,"~m0k\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa2\x11\x18\x
SF:0f19860718214913Z\xa4\x11\x18\x0f20100126061601Z\xa5\x05\x02\x03\x08L\x
SF:98\xa6\x03\x02\x01\x06\xa9\x04\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0
SF:\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\x02NM\xab\x0e\x1b\x0cNULL_CLIENT\0");

MIT krb5 1.7:

SF-Port88-UDP:V=5.20%I=7%D=1/26%Time=4B5E99EC%P=i386-apple-darwin10.2.0%
SF:r(Kerberos,6F,"~m0k\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa2\x11\x18
SF:\x0f19860718214913Z\xa4\x11\x18\x0f20100126072944Z\xa5\x05\x02\x03\0\x9
SF:4P\xa6\x03\x02\x01\x06\xa9\x04\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0
SF:\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\x02NM\xab\x0e\x1b\x0cNULL_CLIENT\0")


-- 
Matt
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: