krb5 vulnerability ?
Andreas Schneider
asn at samba.org
Tue Dec 15 12:14:19 UTC 2015
On Monday 14 December 2015 17:34:35 Jeremy Allison wrote:
> On Mon, Dec 14, 2015 at 05:17:59PM -0800, Jeremy Allison wrote:
> > Interesting post here:
> >
> > http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attac
> > ks/
> >
> > Still reading it myself to try and understand
> > if it's a real issue of not, but thought the
> > list would be interested.
>
> Hmmm. Doesn't look real as far as I can see
> (the article is full of hyperbole).
>
> It's got lots of phrases like:
>
> "So, if we have an access to the key.."
>
> "if we’re able to steal those tickets and somehow
> insert them into our own system"
>
> "It’s just an account in domain controller
> database, so your obviously need access to DC or it’s data."
>
> So looks like a "if we can break the security
> then we've broken the security" article :-).
>
> Move along, nothing to see here, sorry for
> the noise.
This is more or less about a tool called minikatz:
https://github.com/gentilkiwi/mimikatz
The tool injects a dll into lsass.exe and then you can get access to the
memory of lsass.exe and can obtain hashes from Kerberos keys or ntlm.
For the injection you need SeDebugPrivilege. If you have that privilege it is
equal to being the Administrator.
https://blogs.msdn.microsoft.com/oldnewthing/20080314-00/?p=23113/
So as far as I understand it, you need to own a machine with admin or similar
privileges in order to get access to NTLM or Kerberos credentials of logged in
users.
So you need to prevent admin from reading Kerberos hashes from the memory.
On Linux this might be possible with the Kernel keyring where Kerberos tickets
are stored nowadays. But this means the usability will be bad and it wont be
"Single Sign On" anymore ...
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list