Re: Kerberos DoS (Windows 2000)

From: Ian (dispacctat_private)
Date: Thu Aug 07 2003 - 02:17:18 PDT

  • Next message: Matt Foster: "RE: Nessus NASL + Canned Exploit database"

    On reflection, I could have worded this a lot better but its like 100degrees
    over here at the moment and the basic act of spelling is proving a little
    tricky but that is no excuse.
    
    Thank you those who replied off-list.
    
    The reason for the original request was that I was doing some work
    internally and found that we had an externally facing port 88. When I
    apporached my manager and pointed out that this was subject to a DoS style
    attack he scurried off and found the securityfocus site which states that
    'they are unaware of any exploit for this issue'.
    
    Armed with this new found information he came back to me with a 'why bother'
    attitude and I wanted to demonstrate how simple these things are to code
    bearing in mind it is only a question of generating a substantial amount of
    connections to the port to DoS it.
    
    Well, simple if you know how - which I don't. I can't program :( Which is
    why I asked here.
    
    The beauty of this list is I now have NASL scripts, Unix scripts and an
    interesting new angle to explore. I've ported the unix script over to a DOS
    batch file and am testing it currently against a test machine. Without the
    resources of the list I wouldn't have learned half of what I know today
    (which is still half of not a lot!) and sometimes in my haste to learn more
    I end up effectively posting what looks suspiciously like a 'how to hack'
    type post.
    
    As was pointed out to me off-list, I could have been easily flamed for
    posting such a poorly worded request and I guess I couldn't have blamed
    anyone for it, however no-one did for which I am grateful.
    
    Again thanks for the off-list replies and apologies for the original post.
    
    Ian
    
    > > -----Original Message-----
    > > From: Ian [mailto:dispacctat_private]
    > > Sent: Wednesday, August 06, 2003 2:39 PM
    > > To: pen-testat_private
    > > Subject: Kerberos DoS (Windows 2000)
    > >
    > >
    > > G'day,
    > >
    > >     Anyone out there found an easy (script-kiddie) way to
    > > demonstrate this as a genuine vuln during a test? I've
    > > googled but can't find an exploit for this other than the
    > > text reading ...
    > >
    > > ----------------------=[Detailed
    > > Description]=------------------------ 
    > > By creating a connection to the kerberos service and the
    > > disconnecting again, without reading from the socket, the LSA
    > > subsystem will leak memory. After about 4000 connections the
    > > kerberos service will stop accepting connections to tcp ports
    > > 88 (kerberos) and 464 (kpasswd) and all domain authentication
    > > will effectively have died (if the target was a domain controller).
    > >
    > >
    > > It requires a reboot to recover from the attack.
    > >
    > >
    > > ---------------------------=[Workaround]=---------------------
    > > -------- 
    > >
    > >
    > >
    > >     Since everyone on the list should know by now my
    > > programming abilities stopped at 'hello world' any pointers
    > > would be gratefully accepted.
    > >
    > > Yours
    > >
    > > Ian
    > >
    > > --------------------------------------------------------------
    > > -------------
    > > --------------------------------------------------------------
    > > --------------
    > >
    >
    
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 11:40:34 PDT