Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Kerberos probes for nmap

From: David Fifield <david () bamsoftware com>
Date: Tue, 22 Dec 2009 00:01:22 -0700
On Wed, Dec 16, 2009 at 02:38:30AM +0100, Patrik Karlsson wrote:

Here's a modified version of the packet where I have removed the things you mentioned.
I have not touched the algorithms, because I'm uncertain which ones to leave.
Removing some of them could reduce the footprint size by some 10 bytes or so.

I ran the new probe against my Heimdal which got me:

SF-Port88-UDP:V=5.10BETA1%I=7%D=12/16%Time=4B283757%P=i386-apple-darwin10.2.0%r(Kerberos,69,"~g0e\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18
SF:\x0f20091216012641Z\xa5\x05\x02\x03\x0e/\xc3\xa6\x03\x02\x01<\xa9\x15\x
SF:1b\x13<unspecified\x20realm>\xaa\x0b0\t\xa0\x03\x02\x01\0\xa1\x020\0\xa
SF:b\x16\x1b\x14No\x20server\x20in\x20request");

I also tested it against a Windows server and it worked well, even
returned the name of the realm. Unfortunately I don't have access to a
OS X kerberos server or to MIT Kerberos for additional testing.


I just tried the probe against Mac OS X (which I think uses MIT
Kerberos) and it didn't get a response. I tried re-added the server name
and that got a response. This time the error message returned was
NULL_CLIENT instead of CLIENT_NOT_FOUND. Would you see if this probe
works for you? I think it's the same as your original except that it
uses the 1970-01-01 date and doesn't have a client name.

Probe UDP Kerberos
q|\x6a\x81\x6e\x30\x81\x6b\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\x0a\xa4\x81\x5e\x30\x5c\xa0\x07\x03\x05\0\x50\x80\0\x10\xa2\x04\x1b\x02NM\xa3\x17\x30\x15\xa0\x03\x02\x01\0\xa1\x0e\x30\x0c\x1b\x06krbtgt\x1b\x02NM\xa5\x11\x18\x0f19700101000000Z\xa7\x06\x02\x04\x1f\x1e\xb9\xd9\xa8\x17\x30\x15\x02\x01\x12\x02\x01\x11\x02\x01\x10\x02\x01\x17\x02\x01\x01\x02\x01\x03\x02\x01\x02|

Here's the response I get:

SF-Port88-UDP:V=5.10BETA1%I=2%D=12/21%Time=4B306D97%P=i686-pc-linux-gnu%r(
SF:Kerberos,6F,"~m0k\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa2\x11\x18\x
SF:0f19860718214913Z\xa4\x11\x18\x0f20091222065618Z\xa5\x05\x02\x03\x03G\x
SF:e7\xa6\x03\x02\x01\x06\xa9\x04\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0
SF:\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\x02NM\xab\x0e\x1b\x0cNULL_CLIENT\0");

User Datagram Protocol, Src Port: kerberos (88), Dst Port: 46208 (46208)
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    ctime: 1986-07-18 21:49:13 (UTC)
    stime: 2009-12-22 06:56:18 (UTC)
    susec: 215015
    error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
    Realm: NM
    Server Name (Unknown): krbtgt/NM
    e-text: NULL_CLIENT

Also, what tool are you using to make these packets? I was able to add
the server name by hand but it's tricky to keep all the ASN.1 length
values updated.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: