Do ASREPRoast attacks work on MIT Kerberos if weak ciphers are used?

Hello,

I've been setting up an environment that uses (non windows) MIT Kerberos to authenticate nodes in a cluster. While I was going through the authentication server's logs, I noticed tons of messages about pre-authentication and AS-REP responses and such. For what it's worth, the principals (users in kerberos slang) are extremely guessable since they have to follow a specific format.

The other problem is that due to java encryption limitations, I have to use extremely weak ciphers (des3-cbc-sha1). I tried installing the JCE Unlimited Policy extensions and it didn't seem to help at all.

Questions:

– Is it possible to to an ASREPRoast attack on a non-windows Kerberos server? Are there other Windows Kerberos attacks that work on MIT Kerberos?

– Is there anything I can do to defend against this?

– Do I need to set any settings for java to get access to the extra cryptography stuff (the readme just said to overwrite the jar files)? Is there a better Kerberos cipher that's supported by java than des3-cbc-sda1 (arcfour-hmac might be an option)?

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s