[20390] in Kerberos_V5_Development
Re: Video of my Kawaiicon talk: The "Dollar Ticket Attack" on AD
daemon@ATHENA.MIT.EDU (Andrew Bartlett via krbdev)
Sun Jul 10 21:24:03 2022
Message-ID: <ace59e5ae596201e0626cda0fd96fa264f8ddebe.camel@samba.org>
To: samba-technical@lists.samba.org, krbdev@mit.edu
Cc: Alexander Bokovoy <ab@samba.org>
Date: Mon, 11 Jul 2022 13:22:04 +1200
In-Reply-To: <04cd9526caa11ac094fe6b276113639e46177aa4.camel@samba.org>
MIME-Version: 1.0
From: Andrew Bartlett via krbdev <krbdev@mit.edu>
Reply-To: Andrew Bartlett <abartlet@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sat, 2022-07-09 at 18:46 +1200, Andrew Bartlett via krbdev wrote:
> I was going to wait until a per-talk video was hosted by the organisers
> of the conference, but in the meantime this link into the live stream
> works.
>
> I'm sharing this as I wanted to share the video as folks have been
> interested.
>
> https://youtu.be/4hBLf2vQc8k?t=30560
>
> It would be great if the linux side could become harder to exploit at
> some point, I have some suggestions at the end of the talk, and Sumit
> has had some suggestions around disabling an 'a2ln' plugin.
>
> It would be good if someone could write up some good guidance for users
> on how best to defend against it on the Linux side, both with a 'simple
> keytab on server', or 'samba publishing keytab' or other similar
> configurations.
>
> I also tell the tale of how I broke into Windows AD last November,
> similar to but more punchy than SambaXP talk, which I think was pretty
> cool.
>
> Anyway, enjoy and be worried!
I've started to put together a wiki page mostly with links. It is
probably still at the stage of being confusing even to this audience
(and is totally missing a 'how do I protect myself' section), but
perhaps someone can help fill that out.
In the meantime at least it links some of the various documents, talks,
exploit steps etc:
https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack
I would appreciate it being extended. (Please don't be put off by
needing to get an account, it just a spam prevention barrier).
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
