|27 Apr 2010||#1|
| || |
Don't count on Kerberos to thwart pass-the-hash attacks
The Kerberos authentication protocol has plenty of benefits but offers little defense against pass-the-hash attacks.
Several readers responded to my previous post on pass-the-hash attacks, asking if Kerberos authentication versus LANManager, NTLM, or NTLMv2 was an effective defense. It's a good question, one that I considered as I was writing last week's post. Reader Christopher Hallenbeck made some especially good arguments for it, and I've reconsidered my original stance on discussing the subject.
Invented at MIT, Kerberos is an open authentication protocol used on a variety of computer systems. Kerberos systems pass cryptographic key-protected authentication "tickets" between participating services. The password hashes are neither sent nor stored, so they can't be captured and reused as easily.
Kerberos is the default authentication protocol implemented in Windows 2000. More recent operating systems use Kerberos to connect to Windows 2000 and to later network Kerberos-protected resources and services. In most of today's Windows networks, Kerberos authentication is widespread. Kerberos has the potential to reduce pass-the-hash risk, but not nearly as much as one would initially think.
Don't count on Kerberos to thwart pass-the-hash attacks | Security Central - InfoWorld
|My System Specs|
|Similar help and support threads for2: Don't count on Kerberos to thwart pass-the-hash attacks|
|Microsoft to ship emergency IE patch to thwart active attacks||Security News|
|Ubuntu Fixes Kerberos Bug With New Packages||Security News|
|How to thwart the new DLL hijacks||News|
|Intercepting pass-the-hash attacks.||Security News|
|Kerberos Authentication to UNIX from Windows 7 OS||System Security|
|Our Sites ||Site Links ||About Us ||Find Us |
© Designer Media Ltd
All times are GMT -5. The time now is 07:22 PM.