Kerberos: On the Microsoft platform, version 5 of the Kerberos authentication protocol has been in use since Windows 2000.
The protocol offers a robust authentication framework through the use of strong cryptographic mechanism such as symmetric key cryptography. It provides mutual authentication of client and server.
The Kerberos protocol makes use of the following groups of components:
- Key distribution centre (KDC)
- Authentication Server (AS)
- Ticket-granting server (TGS)
The process of using Kerberos works much like the following:
- You want to access another system, such as a server or client. Because Kerberos is in use in this environment, ticket is required.
- To obtain this ticket, you are first authenticated against the AS, which creates a session key based on your password together with a value represents the service you wish to connect to. This request serves as your ticket-granting ticket (TGT).
- Your TGT is presented to a TGS, which generates a ticket that allows you to access the service.
- Based on the situation, the service either accepts or rejects the ticket. In this case, assume that you are authorized and gain access.
The TGT is valid for only a finite period before it has to be generated. This acts as a safeguard against it being compromised.
In this exercise we will take a look at how to break a password captured from Kerberos.
To perform this exercise, you must download the utility Cain from oxid.it.
- In the Cain software start the sniffer by clicking the sniffer icon on the toolbar.
- When prompted, choose the interface on sniff on.
- When the Sniffer tab.
- Click the blue + sign.
- When presented with the dialog, click OK.
- In this dialog that appears, enter the addresses of two hosts to be ARP poisoned, which means you are putting information into the ARP tables of the targeted systems. Choose two hosts other than the one you are running the attack from.
- Click OK.
- On the toolbar select the ARP poisoning icon and note that the status will change to state “poisoning”.
- After a minute or two, click the Sniffer tab.
- Click the Password tab.
- Select MSKerb5-PreAuth Hashes.
- Right-click and select Send To Cracker.
- Click the Cracker tab.
- Select Kerb5 PreAuth Hashes.
- Right-click a password and select a crack.
At this point, if everything has gone well you should be able to crack a Kerberos password. It is important to note that you may have to wait a while on networks that are not that active to actually collect a set of credentials.