I'm not sure I could forge new tickets as an authenticated user, to be honest. I never really tried though I suspect that's more difficult than I need to attempt because if I have that information, I already know enough and have enough to mount a plausible attack.
In short, I never took it to the next step because that's more work than needed. As joe points out, you have authenticated user rights. That's no different than any other type of security account. So your implied question, "Can I elevate my credentials if I have access to your network as an authenticated user" is the one I think is relevant here. I don't differentiate between a computer sec prin and a user sec prin. They are the same as far as I'm concerned and for the intents and purposes of this conversation. The short answer = I have a lot better chance of elevating my privs if I have access to your network than if I don't, whether as a user or not. Just because the user is an inanimate object doesn't make them any less/more of a risk than a computer ;) Al On 1/8/07, Mr Oteece <[EMAIL PROTECTED]> wrote:
The question is whether having the machine account password and access to that system gives you any ability to impersonate users or elevate your access to other systems. Presumably, if you could get into the protected store, you could compromise any locally cached tickets for other users to specific services on remote systems. This is perhaps non-trivial on Windows systems, but becomes a lot easier when you are root on a *nix system that is using Kerberos against AD. Sticking just to Windows, could you conceivably forge new tickets to remote resources as an arbitrary user? That would be the rationale for attacking the computer account rather than a user account. More bang for the buck. On 1/8/07, Al Mulnick <[EMAIL PROTECTED]> wrote: > > I haven't tried it, but I would have assumed (I know, I know) that if > somebody *could* gain the computer account password: > 1) you have much bigger issues > 2) they would have access to a machine. See #1 > 3) they would have access to anything that authenticated users have > access to. See #1 > 4) they know enough about your systems to mount a pretty good attack. > See #1 > > IIRC, machine accounts can get old for various but legitimate reasons. > Consider a laptop that hasn't been back on your trusted network for over 30 > days. It would have an old password, but it may be legitimate and may come > back to your network in the next 60 and would be able to synchronize it's > password changes then. > > You really have to protect the source of the machine account password > which is random and is not readily available. > > Do you have a way to get the machine account passwords? If so, why? And > if you have them, why don't you just go after the user passwords? > > On 1/8/07, Mr Oteece < [EMAIL PROTECTED]> wrote: > > > > What are the risks associated with the exposure of machine account > > passwords in Active Directory? Passwords are changed for machine accounts > > regularly, but they don't really expire and can get rather old. If an > > attacker has access to this password, what sort of access would he have to > > other systems on the network via Kerberos? i.e., would he be able to > > forge service tickets as other users and elevate his access elsewhere? The > > laxness of policy surrounding these accounts suggests that this is not a > > huge risk. Should we be more concerned with these old passwords? > > > > Otis > > > >
