[23838] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Denial of service when using Active Directory for KDC ?

daemon@ATHENA.MIT.EDU (Markus Moeller)
Fri May 6 13:56:16 2005

Message-Id: <200505060909.j4699XH6011464@pacific-carrier-annex.mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: binary
Mime-Version: 1.0
From: Markus Moeller <huaraz@moeller.plus.com>
To: Markus Moeller <huaraz@moeller.plus.com>,
        Tim Alsop
    <Tim.Alsop@CyberSafe.Ltd.UK>,
        jpbermejo <jpbermejo@prisacom.com>
Date: Fri, 06 May 2005 10:20:41 +0100
cc: kerberos@mit.edu
Reply-To: huaraz@moeller.plus.com
Errors-To: kerberos-bounces@mit.edu


To use a computer account in AD for a principal you have to create first a normal
computer account (e.g. mmtest) and execute then: 

 
C:\program files\Support Tools>ktpass  -out d:\Temp\test1.keytab -pass 
Test000$ -crypto rc4-hmac-nt /ptype KRB5_NT_SRV_HST -princ te
stsvc/moelma.test.com@TEST.COM -mapuser mmtest$@TEST.COM
Targeting domain controller: testkdc.test.com
Using legacy password setting method
Successfully mapped testsvc/moelma.wks.uk.deuba.com to MMTEST$.
WARNING: Account MMTEST$ is not a user account (uacflags=0x1021).
WARNING: Resetting MMTEST$'s password may cause authentication problems if 
MMTEST$ is being used as a server.

Reset MMTEST$'s password [y/n]?  y
Key created.
Output keytab to d:\Temp\test1.keytab:
Keytab version: 0x502
keysize 81 testsvc/moelma.test.com@TEST.COM ptype 3 (KRB5_NT_SRV_HST) vno 
1 etype 0x17 (RC4-HMAC) keylength 16 (0x5443b0c1ad573155fa2d95eee1971574)


This will create a keytab with a RC4 key which is mapped to a computer account.
Any password expiry set for user accounts (e.g. domain wide settings) won't
affect the computer account. 

Regards
Markus






On Fri May  6  9:34 , jpbermejo <jpbermejo@prisacom.com> sent:

>On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote:
>> Tim,
>> in our setup we use computer accounts instead of user accounts, and don't
>> have experienced this issue. I think the latest ktpass can do this with
>> mapuser having a $ at the end.
>
>I don't know about computer accounts, but this DoS is not possible if
>you are using service principals. Active Directory doesn't allow login
>for service principals, and keytab are only useful to decrypt tickets.
>Making an ldap query to AD, you can get things like
>
>dNSHostName: sist03lnx.domain.com
>userPrincipalName: HOST/sist03lnx@DOMAIN.COM
>servicePrincipalName: HTTP/sist03lnx.domain.com
>servicePrincipalName: HTTP/sist03lnx
>
>In this case, only HOST/sist03lnx keytab works with `kinit -k`. If you
>attempt to get a TGT with the other principals, you get nothing.
>
>Javier Palacios
>
>
>============================================================================
>This e-mail message and any attached files are intended SOLELY for the
addressee/s identified 
>herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and
may not
> necessarily represent the opinion of this company. If you receive this message
in ERROR, 
>please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED
to use,
> disclose, distribute, print or copy all or part of the contained information.
Thank you. 
>============================================================================
>
>

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post