attacking kerberos deployments
play

Attacking Kerberos Deployments Breaking the Intranet Rachel Engel, - PowerPoint PPT Presentation

Jul 21, 2023 •179 likes •713 views

Attacking Kerberos Deployments Breaking the Intranet Rachel Engel, Brad Hill and Scott Stender Black Hat USA 2010 https://www.isecpartners.com About Us Who are you? Security Consultants at iSEC Partners Work in our application

  1. Attacking Kerberos Deployments Breaking the Intranet Rachel Engel, Brad Hill and Scott Stender Black Hat USA 2010 https://www.isecpartners.com

  2. About Us  Who are you?  Security Consultants at iSEC Partners  Work in our application security consulting practice  Based in Seattle  What is this talk about?  Performing practical attacks against common Kerberos deployment patterns  Why should I care?  If you have authenticated to another machine at work, you have probably used Kerberos 2

  3. Agenda  Protocol Overview  Initial Authentication and Etype Downgrades  PKINIT: Kerberos and Smart Cards  Hijacking Active Directory Workstations with Smart Card login: Own one box, own the Enterprise  Hijacking Kerberized Services  AP-REQ replay attack and defense  Mutual authentication and SPNs 3

  4. A quick introduction to Kerberos

  5. Kerberos: The Basic Protocol AS-REQ AS-REP KDC TGS-REQ [host/fileserver] TGS-REP client fileserver 5

  6. Kerberos rules the Intranet  Interoperable and standardized  Most widely utilized and preferred protocol for authentication in large, centrally managed environments  Windows Active Directory Networks  Large educational networks on Unix/Linux  Still being adopted in new places  Hadoop  Web Services  InfoCard 6

  7. Initial Authentication and Etypes

  8. Cryptographic Primitives  Cryptographic Agility was a big driver for Kerberos v5  Etypes define the set of primitives to be used for cryptographic operations  Examples include: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-md5 rc4-hmac-exp 8

  9. Etype Negotiation AS-REQ ENC-TIMESTAMP: NULL aes-256-cts-hmac-sha1-96 des-cbc-md5 ERR PREAUTH REQUIRED aes-256-cts-hmac-sha1-96 des-cbc-md5 client KDC AS-REQ ENC- TIMESTAMP: 6ba4… aes-256 aes-256-cts-hmac-sha1-96 des-cbc-md5 AS-REP ENC- PART: bc32… aes-256 9

  10. Attacking Etype Negotiation  How can an active attacker influence etype negotiation to his or her advantage?  Lie to the server about client capabilities  Downgrade initial anonymous AS-REQ  Downgrade the authenticated AS-REQ  Lie to the client about server capabilities  Downgrade ERR PREAUTH REQUIRED and several others 10

  11. Benefits of Downgrade  The key used to encrypt the authenticator is derived directly from the user’s password.  Try:  Active downgrade  Capture authenticator  Use the key to make your own authenticator later 11

  12. Benefits of Downgrade  Frank O’Dwyer demonstrated the feasibility of password grinding on RC4 – other etypes are similarly vulnerable  Newer etypes have been designed to resist such attacks  Even when exhaustive key search is unavailable, downgrade can make password grinding feasible 12

  13. Does this Affect Me?  Windows 2008 / Windows Vista and previous enable DES for both outbound and inbound  Rather recent open-source distributions of Kerberos do the same, but your mileage will vary on your distribution and configuration steps.  Windows 7 emits, but does not accept, export-grade RC4  Enabling DES etypes is still surprisingly common for interoperability 13

  14. Protecting Against Downgrade  In a word, disable “weak” etypes  DES, Export-Grade  If possible, everything but the latest and greatest AES  Disabling etypes  Always configurable in MIT and similar distributions  Windows 2008 R2 / Windows 7 introduced a new security policy for this  These are increasingly disabled by default  Windows 2008 R2, MIT Kerb 1.8 14

  15. Public Key Kerberos and Smart Cards

  16. Basics of PKINIT Client Preauthenticator KDC Reply  AuthPack  EncKeyPack  KdcName  RecipientInfo  IssuerAndSerialNumber  KdcRealm  Encrypted Key  Cusec  EncryptedContentInfo  Ctime  ReplyKeyPack  Nonce  ReplyKey  Client Certificate  AS Checksum  ReplyKeyPack Signature  RSA SHA1 Signature  KDC Certificate

  17. Mutual authentication?  In traditional Kerberos, the user and KDC shared a secret.  Now we have PKI involved. As HTTPS has repeatedly shown us, PKI is tricky. 17

  18. Who are the trust roots for Public Key Kerberos?  Luckily, the usual suspects from the Web are not involved.  Certificates must be issued by a specific root CA(s)  Config file for Unix/Linux clients  Registry and Active Directory for Windows clients  Client certs must be issued by this authority and have the Smart Card Authentication EKU  How is the KDC authenticated by the client? 18

  19. PKINIT KDC Authentication  Certificate must be issued by the designated authority.  Must have the subject indicated in a correct format.  Usually a UPN (email address)  MIT & Heimdal look for the KDC Key Purpose ID EKU.  What do Windows clients verify? Not documented. 19

  20. New group policy in Vista SP1: “Require strict KDC validation” “This policy setting controls the Kerberos client's behavior in validating the KDC certificate.” “If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAUTH store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.” Yadda … yadda … yadda … 20

  21. “If you disable or do not configure this policy setting, the Kerberos client will require only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions .”  What other certificates have the Server Auth EKU? 21

  22. Web Server template  Have you been following security advice to use HTTPS on your intranet? How many internal web servers do you have with certificates issued by the Enterprise CA?  How much to you trust these systems and those with administrative access to them?  Even if you use NAP/NAC, at least one of these is accessible to non-compliant clients. (remediation server) 22

  23. Computer Template  Default AD Cert Services Enterprise Authority configuration: 23

  24. Impersonate the KDC in PKINIT  In a default install, any workstation in the domain has access to credentials that allow impersonation of the KDC.  In a default install, works for all clients through and including Win 7.  And for MIT and Heimdal clients configured for interop with a Windows Server KDC.  (pkinit_require_eku = false) 24

  25. Can’t the Kerberos client match the X.509 Subject in the KDC certificate?  MIT & Heimdal could check that the name is in the list of KDCs for the realm in /etc/krb5.conf, but don’t  Windows doesn’t know who the DC / KDC is. It asks the network via a combination of insecure protocols:  DNS SRV records  NetBIOS  Unauthenticated CLDAP  Doesn’t bother do to DNS to CNAME match, anyway  DNSSEC won’t save you  And Kerberos traffic is usually exempt from IPSEC policy 25

  26. Elevation: MIT/Heimdal kinit+NFS PK-AS-REQ PK-AS-REP Impostor KDC KDC www TGS-REQ [host/fileserver] Windows TGS-REP Domain Victim Controller fileserver 26

  27. Elevation: Windows Smart Card Logon PK-AS-REQ PK-AS-REP Impostor KDC KDC Victim www TGS-REQ [host/workstation] Windows TGS-REP Domain AP-REQ Controller AP-REP For Domain logon, first action of client after getting a user TGT is to mutually authenticate itself to the workstation. The evil KDC can forge a TGS-REP, but doesn’t don’t know the symmetric secret of the Workstation workstation, so it won’t be accepted, and the AP - REQ/REP happens locally so it can’t be influenced by a MITM. 27

  28. How to get around this?  Find a scenario where the computer account verification isn’t needed or can’t happen.  Domain join  Based entirely on user credentials  If we have an account that is privileged to join machines to the domain: Act as silent MITM, learn system account password.  Assuming control of such an account may already be “game over” in many deployments.  Or join to impostor domain, supply policy that provides persistent control, then re-join to real domain once a user with appropriate privilege logs in again. 28

  29. We can do better… 29

  30. What if we have a conspiring user?  Usually, all users allowed to logon to all workstations.  User Principal Name Canonicalization: “ If the "canonicalize" KDC option is set, then the KDC MAY change the client and server principal names and types in the AS response and ticket returned from the name type of the client name in the request. In a TGS exchange, the server principal name and type may be changed.” [draft-ietf-krb-wg-kerberos-referrals-11] 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

11/27/17 Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27, 2017 Sprenkle - CSCI325 1 Kerberos Trusted third party, runs by default on port 88 Security objects: Ticket: token, verifying

407 views • 30 slides
Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl eans Projet SDS - LIFO et ENSI de Bourges nicolas.greneche@univ-orleans.fr 11/07/2011 Sommaire Pourquoi Kerberos ? 1 Les acteurs 2 Le

497 views • 22 slides
Runion PLEPU : 16 nov. 2016 Olivier Deschamps LPC Clermont-F d UBP/CNRS/IN2P3 1 Radiative

Runion PLEPU : 16 nov. 2016 Olivier Deschamps LPC Clermont-F d UBP/CNRS/IN2P3 1 Radiative

Runion PLEPU : 16 nov. 2016 Olivier Deschamps LPC Clermont-F d UBP/CNRS/IN2P3 1 Radiative transition of b quarks Flavour Changing Neutral Current : b q first observed at Cleo (1993) through B 0,+ K* 0,+ Real photon

351 views • 19 slides
Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking , August 1999 Digital Signature Examples: RSA, DSA Provide authenticity, integrity and non- repudiation How to

329 views • 22 slides
Video-Rate Stereo Vision on a Reconfigurable Hardware Ahmad Darabiha Department of Electrical

Video-Rate Stereo Vision on a Reconfigurable Hardware Ahmad Darabiha Department of Electrical

Video-Rate Stereo Vision on a Reconfigurable Hardware Ahmad Darabiha Department of Electrical and Computer Engineering University of Toronto Introduction What is Stereo Vision? The ability of finding the depth information encoded

384 views • 26 slides
Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Chapter 6 User-Defined Primitives 1 Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6 User-Defined Primitives 2 Page 229 //3-input AND gate as a udp primitive udp_and3 (z1, x1, x2,

619 views • 42 slides
Adolescent Substance Use and Interventions Tom Freese, PhD Sherry Larkins, PhD May 17, 2011

Adolescent Substance Use and Interventions Tom Freese, PhD Sherry Larkins, PhD May 17, 2011

Adolescent Substance Use and Interventions Tom Freese, PhD Sherry Larkins, PhD May 17, 2011 Agenda Review importance of epidemiological data understand adolescent substance issues. Review standardized screening & assessment

627 views • 62 slides
A Comparison Of Shared Memory Parallel Programming Models Jace A Mogill David Haglin 1

A Comparison Of Shared Memory Parallel Programming Models Jace A Mogill David Haglin 1

A Comparison Of Shared Memory Parallel Programming Models Jace A Mogill David Haglin 1 Parallel Programming Gap Not many innovations... Memory semantics unchanged for over 50 years 2010 Multi-Core x86 programming model identical to 1982

437 views • 20 slides
If you gain the respect and confidence of readers, and they find you easy to get at and

If you gain the respect and confidence of readers, and they find you easy to get at and

If you gain the respect and confidence of readers, and they find you easy to get at and pleasant to talk with, great opportunities are afforded of stimulating the love of study and of directing investigators to the best sources of

580 views • 26 slides
Part D Payment Modernization Model Model Overview Centers for Medicare & Medicaid Services

Part D Payment Modernization Model Model Overview Centers for Medicare & Medicaid Services

Part D Payment Modernization Model Model Overview Centers for Medicare & Medicaid Services (CMS) Innovation Center 1 CMS Introductions Center for Medicare and Medicaid Innovation Laura McWright, Seamless Care Models Group, Deputy Director

878 views • 20 slides

More recommend