It does, thanks. So if the password is known, or the KDC compromised, then in principle MITM becomes possible? On 2017-08-14 15:28, Andrew Bartlett wrote:> On Mon, 2017-08-14 at 06:45 -0400, Daniel Benoy via samba wrote: >> Is it perhaps using your password somehow? Like, if an attacker knew >> the >> password that the client is using to connect, would it then be able to >> MITM and watch all the writes and reads that client performs, but >> since >> an attacker is unlikely to know your password already, then they're >> unable to know the initial symmetric cipher that each side is >> expecting... or something like that? > > This is essentially correct, for NTLM. > > For Kerberos, it is the shared secret between the KDC and the file > server, and then the password between you and the KDC. > > I'm drastically simplifying and in both cases, session keys are not > directly the password, but things encrypted with the password and > exchanged. > > It isn't public key based. > > I hope this helps, > > Andrew Bartlett
On Mon, 2017-08-14 at 20:26 -0400, Daniel Benoy via samba wrote:> It does, thanks. > > So if the password is known, or the KDC compromised, then in > principle > MITM becomes possible?Yes. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Hi, This question is interesting and laeds me to another one: As KDC send a ticket to the client when trying to authenticate (something which should decrypted using user's password), is it possible to brute force this initial ticket locally? Mathias 2017-08-15 3:29 GMT+02:00 Andrew Bartlett via samba <samba at lists.samba.org>:> On Mon, 2017-08-14 at 20:26 -0400, Daniel Benoy via samba wrote: > > It does, thanks. > > > > So if the password is known, or the KDC compromised, then in > > principle > > MITM becomes possible? > > Yes. > > Andrew Bartlett > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >