krb5 vulnerability ?

Andreas Schneider asn at
Tue Dec 15 12:14:19 UTC 2015

On Monday 14 December 2015 17:34:35 Jeremy Allison wrote:
> On Mon, Dec 14, 2015 at 05:17:59PM -0800, Jeremy Allison wrote:
> > Interesting post here:
> > 
> >
> > ks/
> > 
> > Still reading it myself to try and understand
> > if it's a real issue of not, but thought the
> > list would be interested.
> Hmmm. Doesn't look real as far as I can see
> (the article is full of hyperbole).
> It's got lots of phrases like:
> "So, if we have an access to the key.."
> "if we’re able to steal those tickets and somehow
> insert them into our own system"
> "It’s just an account in domain controller
> database, so your obviously need access to DC or it’s data."
> So looks like a "if we can break the security
> then we've broken the security" article :-).
> Move along, nothing to see here, sorry for
> the noise.

This is more or less about a tool called minikatz:

The tool injects a dll into lsass.exe and then you can get access to the 
memory of lsass.exe and can obtain hashes from Kerberos keys or ntlm.

For the injection you need SeDebugPrivilege. If you have that privilege it is 
equal to being the Administrator.

So as far as I understand it, you need to own a machine with admin or similar 
privileges in order to get access to NTLM or Kerberos credentials of logged in 

So you need to prevent admin from reading Kerberos hashes from the memory.

On Linux this might be possible with the Kernel keyring where Kerberos tickets 
are stored nowadays. But this means the usability will be bad and it wont be 
"Single Sign On" anymore ...

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at

More information about the samba-technical mailing list