[31527] in Kerberos
Re: Ticket Granting Ticket forge
daemon@ATHENA.MIT.EDU (Remi Ferrand)
Fri Oct 2 12:59:32 2009
X-Barracuda-Envelope-From: remi.ferrand@cc.in2p3.fr
Message-ID: <4AC6312F.8040305@cc.in2p3.fr>
Date: Fri, 02 Oct 2009 18:58:23 +0200
From: Remi Ferrand <remi.ferrand@cc.in2p3.fr>
MIME-Version: 1.0
To: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <96013C9E-3A1D-46CA-A25D-0DADB9D9DA73@mit.edu>
Cc: Kerberos-Dev List <krbdev@mit.edu>, Kerberos List <kerberos@mit.edu>
Reply-To: remi.ferrand@cc.in2p3.fr
Content-Type: multipart/mixed; boundary="===============1178081246=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1178081246==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms010305030304080308090603"
This is a cryptographically signed message in MIME format.
--------------ms010305030304080308090603
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Ken Raeburn a =E9crit :
> You would need the key for the krbtgt/YOUR.REALM@YOUR.REALM principal=20
> in order to do this. In fact, with that key, you can forge a TGT for=20
> any client principal at all, without needing an existing TGT, so if=20
> anyone else gets their hands on it, your realm's security is=20
> compromised. So unless your local machine is secure enough that you=20
> could run a KDC on it, this would be a really bad idea. And even=20
> then, running a KDC as root is probably a better idea than leaving the =
> TGS key sitting around accessible under your regular account.
>
> Ken
I'm sure I'm very close of my goal, but it's still not working ...
My KeyTab has been created using :
# kadmin.local -q 'ktadd -k /tmp/krbtgt.keytab -norandkey=20
krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR'
My Cache has been feed with
# kinit test
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@TEST.IN2P3.FR
Valid starting Expires Service principal
10/02/09 18:15:12 10/03/09 04:15:12 krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
renew until 10/03/09 18:15:11
I've written a little program to try to decrypt the TGT.
This program is compiler using those libraries : /-lkrb5 -lkadm5srv=20
-lkadm5clnt -lkdb5/
The main steps are :
* read Keytab using krb5_kt_resolve, krb5_kt_start_seq_get,=20
krb5_kt_next_entry, krb5_kt_end_seq_get.
This step gives me a krb5_keytab_entry structure.
* retrieve TGT from Ticket Cache using krb5_cc_default,=20
krb5_cc_set_flags, krb5_cc_start_seq_get, krb5_cc_next_cred.
This step gives me a krb5_creds structure.
* My program then try to decode_ticket using krb5_decode_ticket and=20
everything is successful.
* The next step is to decrypt the TGT ticket with krb5_decrypt_tkt_part, =
but I encounter an error of this kind :
*forge: Program lacks support for encryption type decrypting with=20
krb5_decrypt_tkt_part*
Debuging using GDB ensures me that krbtgt entry read from KeyTab has an=20
enctype of 16 (Triple DES cbc mode with HMAC/sha1) and the same enctype=20
for the ticket granting ticket krbtgt read from cache.
Does anyone already encounter this kind of error using Kerberos V M.I.T=20
API ?
Do I have to load ciphers anywhere ?
If you want me to send you my code, juste ask and I'll send you ...
The main part of my code has been inspired from kinit or src/kdc/*=20
utilities.
Thanks in advance
Remi
--=20
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
--------------ms010305030304080308090603
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIM2zCC
A20wggJVoAMCAQICAQIwDQYJKoZIhvcNAQEEBQAwKzELMAkGA1UEBhMCRlIxDTALBgNVBAoT
BENOUlMxDTALBgNVBAMTBENOUlMwHhcNMDEwNDI3MDU0NjQ5WhcNMTEwNDI1MDU0NjQ5WjA0
MQswCQYDVQQGEwJGUjENMAsGA1UEChMEQ05SUzEWMBQGA1UEAxMNQ05SUy1TdGFuZGFyZDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANzhHiE9BovqvV60iNsPk5e0bQc9hmIA
Lcr/tUqO51akj2Es8aAqq/Yq3Xwsv+91VQusCU7nTmHA5wzwkBVFEgLCjOvDEmTiYxAYLssH
MdmB5dwpgpsxVuKBHopvp+ipWBFEVoNds054cC3ftv1ygUXV8e5Nzu++1T0MkCBFmgmArw9M
2iAOgL86s+sngMC5D8ChTkDcOv1qKr9A1SxxgPn4umvk6ioAqy++mvCndm2YKZwPL/BC8hiX
W8n2zBlfusK+EtJcsJCUwLfLBgTvjzDtMi16SveTu6AJpLTuM8vQg5u1tbOQ3o6QHlmcINVL
Hu3XTE+G+hw6KqHprAWgnb8CAwEAAaOBkjCBjzAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRn
WaXlB3RJA+8Fz8wupBjVEMiePDBTBgNVHSMETDBKgBRW62i50lx+mLWlU8ORb2NYxPlrt6Ev
pC0wKzELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxDTALBgNVBAMTBENOUlOCAQAwCwYD
VR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4IBAQAGA0eDckWQwk7hIderF6kBVQbKQG1Voh1e
6+IUI1nkCeKQ9jyNNgYPS6cmI2XC6gaacru4jMuKX+95NiV+ANfzBpT7g0QpJjfH7umHzmyG
gBtxPdJir/bNYmxTD+Z6kwCMey4z4EEdqr5lmHbxlQd0s+Y/U3XVSwY2SynE9tyOE4BAEHOC
rRV7BHFQtTcz8shku6EQfjbGra9vcFKm0a7MzLqw6FkSj2INrQPdSyroiTmIUS/tYei3MIfb
J1VtZoejUQmAYXFRBb4THdlBMPx1XwqWmxj/vpCBtBPAchEI/Wqaage99IMstGA2ZAf6PWqn
sJAEdoPdM8s04heYBAuhMIIEsTCCA5mgAwIBAgIDAJceMA0GCSqGSIb3DQEBBQUAMDQxCzAJ
BgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJkMB4XDTA5
MDIwNjA4MTA1MVoXDTExMDIwNjA4MTA1MVowbjELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENO
UlMxEDAOBgNVBAsTB1VTUjY0MDIxFTATBgNVBAMTDFJlbWkgRmVycmFuZDEnMCUGCSqGSIb3
DQEJARYYcmVtaS5mZXJyYW5kQGNjLmluMnAzLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxBuDf5CGn1V0n2nqQQnVO2pPfHQ3E57a7jHNmZNYD3aOF9WVJjXwQfPpbwcE
m10vP/MURe/QjlN8ImcRCGNXybAsQyDV839HFuvUCN92Qju9B2IoQx/kUlmu7Gtcnzt2aTVb
jexZHdGkiv5GkWseqTOBXmDRfCOSDiowUX8YeSqEs+s0M0Urva5jLhyGIQRUBGvp7U0z0wug
XzUBufJS9i2fO4OvwZBqyCigOBfDfY/18Jx3haJadKaeG23pAJkeGPMit7L/gMfWIVYQ8kQa
F6ddd7D4axoGIYpy26DV1f+5WFV6yogegzH7Z2TP/zc9/ATOctSW9RLD9VBHpk1MawIDAQAB
o4IBkDCCAYwwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBLAwDgYDVR0PAQH/BAQD
AgXgMHgGCWCGSAGG+EIBDQRrFmlDZXJ0aWZpY2F0IENOUlMtU3RhbmRhcmQuIFBvdXIgdG91
dGUgaW5mb3JtYXRpb24gc2UgcmVwb3J0ZXIg4CBodHRwOi8vaWdjLnNlcnZpY2VzLmNucnMu
ZnIvQ05SUy1TdGFuZGFyZC8wHQYDVR0OBBYEFHuV0UmWU13s1WE1Vedp53drFMYoMFMGA1Ud
IwRMMEqAFGdZpeUHdEkD7wXPzC6kGNUQyJ48oS+kLTArMQswCQYDVQQGEwJGUjENMAsGA1UE
ChMEQ05SUzENMAsGA1UEAxMEQ05SU4IBAjAjBgNVHREEHDAagRhyZW1pLmZlcnJhbmRAY2Mu
aW4ycDMuZnIwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybHMuc2VydmljZXMuY25ycy5m
ci9DTlJTLVN0YW5kYXJkL2dldGRlci5jcmwwDQYJKoZIhvcNAQEFBQADggEBACdZ1ociRxMY
oWWBFZmDMT5Aa5rLvuSzKax8bb3WXqWOmk8D5LlSO17F3mkR5TekcDFSJ8/jXeFG4Q+toHxR
AyV3L3LCL6cUd29L0zJNj2E1QcRIzuuug/GCWszQP+VsatGn1TT/1najETgbAdolWdCByX9A
tRL0lo7G5Kz7TB31e08ZPus9k7fOPhClIAKxY4m6kxf2O73pkHu7kXbbgWjxFkF3rEq4qcYq
XsC9F2pUkCxKiKBI727aknODrvW0keb57kZldafCD/kBYcp32Vm68TBhzq844stfc1LPZXCc
XWW8PiToRxlgyopZ1e5bCzsVEdLiofRa8F9muSmjK+gwggSxMIIDmaADAgECAgMAlx4wDQYJ
KoZIhvcNAQEFBQAwNDELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNO
UlMtU3RhbmRhcmQwHhcNMDkwMjA2MDgxMDUxWhcNMTEwMjA2MDgxMDUxWjBuMQswCQYDVQQG
EwJGUjENMAsGA1UEChMEQ05SUzEQMA4GA1UECxMHVVNSNjQwMjEVMBMGA1UEAxMMUmVtaSBG
ZXJyYW5kMScwJQYJKoZIhvcNAQkBFhhyZW1pLmZlcnJhbmRAY2MuaW4ycDMuZnIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEG4N/kIafVXSfaepBCdU7ak98dDcTntruMc2Z
k1gPdo4X1ZUmNfBB8+lvBwSbXS8/8xRF79COU3wiZxEIY1fJsCxDINXzf0cW69QI33ZCO70H
YihDH+RSWa7sa1yfO3ZpNVuN7Fkd0aSK/kaRax6pM4FeYNF8I5IOKjBRfxh5KoSz6zQzRSu9
rmMuHIYhBFQEa+ntTTPTC6BfNQG58lL2LZ87g6/BkGrIKKA4F8N9j/XwnHeFolp0pp4bbekA
mR4Y8yK3sv+Ax9YhVhDyRBoXp113sPhrGgYhinLboNXV/7lYVXrKiB6DMftnZM//Nz38BM5y
1Jb1EsP1UEemTUxrAgMBAAGjggGQMIIBjDAMBgNVHRMBAf8EAjAAMBEGCWCGSAGG+EIBAQQE
AwIEsDAOBgNVHQ8BAf8EBAMCBeAweAYJYIZIAYb4QgENBGsWaUNlcnRpZmljYXQgQ05SUy1T
dGFuZGFyZC4gUG91ciB0b3V0ZSBpbmZvcm1hdGlvbiBzZSByZXBvcnRlciDgIGh0dHA6Ly9p
Z2Muc2VydmljZXMuY25ycy5mci9DTlJTLVN0YW5kYXJkLzAdBgNVHQ4EFgQUe5XRSZZTXezV
YTVV52nnd2sUxigwUwYDVR0jBEwwSoAUZ1ml5Qd0SQPvBc/MLqQY1RDInjyhL6QtMCsxCzAJ
BgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMQ0wCwYDVQQDEwRDTlJTggECMCMGA1UdEQQcMBqB
GHJlbWkuZmVycmFuZEBjYy5pbjJwMy5mcjBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vY3Js
cy5zZXJ2aWNlcy5jbnJzLmZyL0NOUlMtU3RhbmRhcmQvZ2V0ZGVyLmNybDANBgkqhkiG9w0B
AQUFAAOCAQEAJ1nWhyJHExihZYEVmYMxPkBrmsu+5LMprHxtvdZepY6aTwPkuVI7XsXeaRHl
N6RwMVInz+Nd4UbhD62gfFEDJXcvcsIvpxR3b0vTMk2PYTVBxEjO666D8YJazNA/5Wxq0afV
NP/WdqMROBsB2iVZ0IHJf0C1EvSWjsbkrPtMHfV7Txk+6z2Tt84+EKUgArFjibqTF/Y7vemQ
e7uRdtuBaPEWQXesSripxipewL0XalSQLEqIoEjvbtqSc4Ou9bSR5vnuRmV1p8IP+QFhynfZ
WbrxMGHOrzjiy19zUs9lcJxdZbw+JOhHGWDKilnV7lsLOxUR0uKh9FrwX2a5KaMr6DGCAr4w
ggK6AgEBMDswNDELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMt
U3RhbmRhcmQCAwCXHjAJBgUrDgMCGgUAoIIBWDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
MBwGCSqGSIb3DQEJBTEPFw0wOTEwMDIxNjU4MjNaMCMGCSqGSIb3DQEJBDEWBBR2KtxviCi3
ZgiU9V7haATMi6asUTBKBgkrBgEEAYI3EAQxPTA7MDQxCzAJBgNVBAYTAkZSMQ0wCwYDVQQK
EwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJkAgMAlx4wTAYLKoZIhvcNAQkQAgsxPaA7
MDQxCzAJBgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJk
AgMAlx4wXwYJKoZIhvcNAQkPMVIwUDALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqG
SIb3DQEBAQUABIIBAD9PZHHUWKQ5Vu2WsQOuSO3e0FkQeBKEOYKpwVnvhB7owe/VKzetkjQj
kAqhgjrNeCcazDVbvERgA3ezvk/tsNWLKotxShFFaBUw/ea/FOneqB82rXBLxf44Qq3CvMZS
5N/llP78zTnW++Uiz2zB4jDyp86RMlXmAL/YS4iQQJ2sdeJYDqvdaTprtCSZmsX/iwPMLNAr
vEX1jMxNHdskrEMQ3dy292ck2pKC3ODvAR+HN3LRxSgq/jlcQHsPUeXL81WkINonW+Onuxx2
3fq2r76VpREmIzRC3LqG8OluAJwBp0N/vR45McMCQ6ZNNLgD0P6NoSqGgWXybeRn/SlYTgkA
AAAAAAA=
--------------ms010305030304080308090603--
--===============1178081246==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1178081246==--
