lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5493B0DF.6050503@beneaththewaves.net> Date: Thu, 18 Dec 2014 21:00:15 -0800 From: "Ben Lincoln (F7EFC8C9 - FD)" <F7EFC8C9@...eaththewaves.net> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Dictionary/brute-force attack against "kerberized" IIS service accounts without triggering account lockout Not sure if this is old news by now, but I haven't seen it mentioned anywhere. I was writing some walkthroughs for the alpha version of Mimikatz 2.0, and realized that since the "Silver Ticket" functionality involves one of the Windows kerberos ticket encryption keys being the NTLM hash of the account which receives the kerberos ticket, it's possible to use it to check passwords for IIS application pool service accounts (if kerberos auth is used, of course), and this does not trigger an account lockout regardless of the number of attempts - at least not on Server 2012 RTM with the default settings (no "enhanced protection", etc.). http://www.beneaththewaves.net/Projects/Mimikatz_20_-_Brute-Forcing_Service_Account_Passwords.html Apologies in advance if this has already been discussed. This is definitely a POC-grade tool - I do not have the C/C++ skills to modify Mimikatz sufficiently to make this particular attack production-quality. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists