Re: security - "pass the hash" style attacks?
On Nov 3, 2014, at 4:28 AM, Jérémie Courrèges-Anglas wrote: > Philip Guenther writes: > >> [apologies for the contentless previous message] >> >> On Sun, Nov 2, 2014 at 4:43 PM, Philip Guenther wrote: >>> On Sun, Nov 2, 2014 at 4:41 PM, Nex6|Bill wrote: >>> ... what about kerberos? (windows K5 vs Unix K5?) >> >> There's a bunch of *really good* papers on Kerberos's design which >> discuss exactly these sorts of issues and how they are addressed or >> completely avoided. I remember finding the one cast as a dialog >> between two system programmers (one named Athena...) as a good intro >> on this stuff. > > Yup. First "tutorial" link on this page: > > http://web.mit.edu/kerberos/papers.html > > -- > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE Here is a pretty good blackhat talk about this: though its windows specific the gist of it is Kerberos is just as broken as NTLM. since enforcement is client side . -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: security - "pass the hash" style attacks?
Philip Guenther writes: > [apologies for the contentless previous message] > > On Sun, Nov 2, 2014 at 4:43 PM, Philip Guenther wrote: >> On Sun, Nov 2, 2014 at 4:41 PM, Nex6|Bill wrote: >> ... >>> what about kerberos? (windows K5 vs Unix K5?) > > There's a bunch of *really good* papers on Kerberos's design which > discuss exactly these sorts of issues and how they are addressed or > completely avoided. I remember finding the one cast as a dialog > between two system programmers (one named Athena...) as a good intro > on this stuff. Yup. First "tutorial" link on this page: http://web.mit.edu/kerberos/papers.html -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: security - "pass the hash" style attacks?
On November 3, 2014 1:41:24 AM CET, Nex6|Bill wrote: >so, for OpenBSD you would have to get the /etc/passwd for an offline >attack on >the password hashes >and for that they would need a user account to logon to the system. Or >to have >compromised the system in such a >way as they could copy /etc/passwd. /etc/passwd does not contain password hashes. /etc/master.passwd does, but with vastly different permission bits. /Alexander
Re: security - "pass the hash" style attacks?
[apologies for the contentless previous message] On Sun, Nov 2, 2014 at 4:43 PM, Philip Guenther wrote: > On Sun, Nov 2, 2014 at 4:41 PM, Nex6|Bill wrote: > ... >> what about kerberos? (windows K5 vs Unix K5?) There's a bunch of *really good* papers on Kerberos's design which discuss exactly these sorts of issues and how they are addressed or completely avoided. I remember finding the one cast as a dialog between two system programmers (one named Athena...) as a good intro on this stuff. Philip Guenther
Re: security - "pass the hash" style attacks?
On Sun, Nov 2, 2014 at 4:41 PM, Nex6|Bill wrote: ... > what about kerberos? (windows K5 vs Unix K5?) > > >> >> >>> is OpenBSD, or BSD in general vulnerable to these style attacks? >> >> The vulnerability is the authentication protocol/method, independent >> the operating system. >> If you used NTLM or LanMan password authentication on OpenBSD, you >> would be vulnerable. >> You would also have to be insane. >> >> >>> or just the normal unix dump the password /etc/passwd table for offline >>> attacks sorts of >>> stuff? >> >> For the authentication methods in base, correct. > > so, for OpenBSD you would have to get the /etc/passwd for an offline attack > on the password hashes > and for that they would need a user account to logon to the system. Or to > have compromised the system in such a > way as they could copy /etc/passwd. > > other types of attacks would be brut force against SSHD sorts of stuff which > could be detected and mitagated. > > > > >> >> >> Philip Guenther
Re: security - "pass the hash" style attacks?
On Nov 2, 2014, at 4:30 PM, Philip Guenther wrote: > On Sun, Nov 2, 2014 at 4:05 PM, Nex6|Bill wrote: >> I know, that pass the hash is now getting a lot of playtime on windows. and >> I have heard in a couple of talks >> that its directly related to SSO part of the OS, and may be part of posix? > > Nope. It's just a bad (as in, completely broken) design for the NTLM > and LanMan authentication protocols. So, any machine/OS thats authenticating to a PtH vulnerable protocol namely Lanman/NTLM would be vulnerable to this no matter the OS. what about kerberos? (windows K5 vs Unix K5?) > > >> is OpenBSD, or BSD in general vulnerable to these style attacks? > > The vulnerability is the authentication protocol/method, independent > the operating system. > If you used NTLM or LanMan password authentication on OpenBSD, you > would be vulnerable. > You would also have to be insane. > > >> or just the normal unix dump the password /etc/passwd table for offline attacks sorts of >> stuff? > > For the authentication methods in base, correct. so, for OpenBSD you would have to get the /etc/passwd for an offline attack on the password hashes and for that they would need a user account to logon to the system. Or to have compromised the system in such a way as they could copy /etc/passwd. other types of attacks would be brut force against SSHD sorts of stuff which could be detected and mitagated. > > > Philip Guenther [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: security - "pass the hash" style attacks?
On Sun, Nov 2, 2014 at 4:05 PM, Nex6|Bill wrote: > I know, that “pass the hash” is now getting a lot of playtime on windows. and > I have heard in a couple of talks > that its directly related to “SSO” part of the OS, and may be part of posix? Nope. It's just a bad (as in, completely broken) design for the NTLM and LanMan authentication protocols. > is OpenBSD, or BSD in general vulnerable to these style attacks? The vulnerability is the authentication protocol/method, independent the operating system. If you used NTLM or LanMan password authentication on OpenBSD, you would be vulnerable. You would also have to be insane. > or just the normal unix dump the password /etc/passwd table for offline > attacks sorts of > stuff? For the authentication methods in base, correct. Philip Guenther
security - "pass the hash" style attacks?
I know, that pass the hash is now getting a lot of playtime on windows. and I have heard in a couple of talks that its directly related to SSO part of the OS, and may be part of posix? is OpenBSD, or BSD in general vulnerable to these style attacks? or just the normal unix dump the password /etc/passwd table for offline attacks sorts of stuff? Thoughts -Nex6 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
