Q: How does password cracking on Windows Kerberos preauthentication data work and how can I protect my Windows systems from this attack?

A: It's well known that in Windows, malicious users can mount brute-force password-cracking attacks on NT LAN Manager (NTLM) authentication exchanges. Several tools are even available to automate such attacks, including @stake LC 5 (the most recent version of L0phtCrack) and John the Ripper. For a long time, experts thought that if people used Windows XP and Windows 2000 clients with their default Kerberos authentication provider, brute-force password cracking attacks were impossible. But in late 2002--2 years after Win2K's release--a tool named KerbCrack appeared on the Internet. This tool can perform brute-force cracking attacks on Kerberos packets. KerbCrack consists of two tools: kerbsniff and kerbcrack. Kerbsniff captures Kerberos packets from the network, and kerbcrack performs the brute-force crack attempt on the output of the first tool. You can download both tools at http://www.ntsecurity.nu/toolbox/kerbcrack. A paper outlining a similar attack but using different tools is available from http://www.hut.fi/~autikkan/kerberos/docs/phase1/pdf/LATEST_password_attack.pdf .

The Kerberos brute-force password-cracking attacks exploit the Kerberos protocol pre-authentication feature, which was first introduced in Kerberos 5. Using Kerberos pre-authentication data, a client can prove knowledge of its password to the Kerberos Key Distribution Center (KDC), the Kerberos service that runs on all Windows Server 2003 and Win2K domain controllers (DCs), before the Ticket Granting Ticket (TGT) is issued. Brute-force password-cracking attacks target the encrypted timestamp that's embedded in the Kerberos preauthentication data. The timestamp is encrypted using a key based on the user’s password (or in Kerberos speak: based on the user’s master key). Because timestamps are relatively easy to recognize, it's possible to mount brute-force attacks against the encrypted preauthentication data and derive the user’s password.

There are two ways to protect against this attack: Use Windows smart card logon or encrypt the network traffic between the Kerberos client and the DC using, for example, IP Security (IPSec). Windows smart card logon uses a Kerberos extension called PKINIT. This extension encrypts the packet by using the user’s private key instead of the user's master key. At this point in time, it's impossible to perform a brute-force attack on packets that are secured using public-private key technology. For more information about PKINIT, visit http://www.ietf.org/proceedings/03mar/I-D/draft-ietf-cat-kerberos-pk-init-16.txt.