Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 17 Nov 2012 00:13:03 +0100
From: buawig <buawig@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking passwords with a kerberos traffic dump
 / aes256-cts-hmac-sha1-96 (18)

[I try to answer all previous emails in this single email]

> What is the value of "Encryption type" when you view the AS-REQ
> packet in Wireshark?
> 
> On my setup (which is using default values) it is 18 
> (aes256-cts-hmac-sha1-96 is being used).

Yes, I noticed it too, it is aes256-cts-hmac-sha1-96 (18), which is
probably why Cain is not able to extract ENC_TIMESTAMP from AS-REQ.

So a passive attacker would have to deal with that kind of encryption
type. An active attacker can 'tell' the client to use a weaker
encryption type that would be a lot faster to crack (downgrade attack[1]).
I haven't seen any tools that would do that out of the box though.
My win7 client even lists des-cbc-md5 (3) in his supported enc types.

Nonetheless it would be great to see an implementation for
enc type 18 / aes256-cts-hmac-sha1-96 (from a traffic capture).

[1]
http://media.blackhat.com/bh-us-10/whitepapers/Stender_Engel_Hill/BlackHat-USA-2010-Stender-Engel-Hill-Attacking-Kerberos-Deployments-wp.pdf

> That reminds me of our recent (currently only in git) krb5-18 format
> submitted by Camille Mougey. You need to uncomment HAVE_KRB5 in
> Makefile to build it (and you need libkrb5-dev installed).

When looking for something that can handle enc type 18 I stumbled also
on it:
http://www.openwall.com/lists/john-dev/2012/09/06/3

> Apparently both these would attack a dumped realm database though -
> not sniffed data.

Ok, this probably explains why my value has 112 chars and krb5-18_fmt.c
expects 64.

>> I loaded the pcap file into cain but nothing showed up in the MS
>> Kerberos5 PreAuth section.
> 
> But you did sniff a windows client logging on to the Microsoft AD, or did you not?

Yes, correctly (windows client AD auth.).

> Here's an article that I referenced in the mskrb5 source code:
> http://www.securiteam.com/windowsntfocus/5BP0H0A6KM.html

Since I learned that john's best documentation (expected file format for
specific hash types) is found in it's .c files I always have a look at
them and saw that URL, this was also the moment when I was wondering if
mskrb5 might only apply for older windows versions - which is the case
as we know now (at least without performing an active downgrade attack).

Thank you for your help and numerous answers, looking forward to see
krb5-18-traffic_fmt.c ;)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.