From: Ian (dispacct@hotmail.com)
Date: Thu Aug 07 2003 - 05:17:18 EDT
On reflection, I could have worded this a lot better but its like 100degrees
over here at the moment and the basic act of spelling is proving a little
tricky but that is no excuse.
Thank you those who replied off-list.
The reason for the original request was that I was doing some work
internally and found that we had an externally facing port 88. When I
apporached my manager and pointed out that this was subject to a DoS style
attack he scurried off and found the securityfocus site which states that
'they are unaware of any exploit for this issue'.
Armed with this new found information he came back to me with a 'why bother'
attitude and I wanted to demonstrate how simple these things are to code
bearing in mind it is only a question of generating a substantial amount of
connections to the port to DoS it.
Well, simple if you know how - which I don't. I can't program :( Which is
why I asked here.
The beauty of this list is I now have NASL scripts, Unix scripts and an
interesting new angle to explore. I've ported the unix script over to a DOS
batch file and am testing it currently against a test machine. Without the
resources of the list I wouldn't have learned half of what I know today
(which is still half of not a lot!) and sometimes in my haste to learn more
I end up effectively posting what looks suspiciously like a 'how to hack'
type post.
As was pointed out to me off-list, I could have been easily flamed for
posting such a poorly worded request and I guess I couldn't have blamed
anyone for it, however no-one did for which I am grateful.
Again thanks for the off-list replies and apologies for the original post.
Ian
> > -----Original Message-----
> > From: Ian [mailto:dispacct@hotmail.com]
> > Sent: Wednesday, August 06, 2003 2:39 PM
> > To: pen-test@securityfocus.com
> > Subject: Kerberos DoS (Windows 2000)
> >
> >
> > G'day,
> >
> > Anyone out there found an easy (script-kiddie) way to
> > demonstrate this as a genuine vuln during a test? I've
> > googled but can't find an exploit for this other than the
> > text reading ...
> >
> > ----------------------=[Detailed
> > Description]=------------------------
> > By creating a connection to the kerberos service and the
> > disconnecting again, without reading from the socket, the LSA
> > subsystem will leak memory. After about 4000 connections the
> > kerberos service will stop accepting connections to tcp ports
> > 88 (kerberos) and 464 (kpasswd) and all domain authentication
> > will effectively have died (if the target was a domain controller).
> >
> >
> > It requires a reboot to recover from the attack.
> >
> >
> > ---------------------------=[Workaround]=---------------------
> > --------
> >
> >
> >
> > Since everyone on the list should know by now my
> > programming abilities stopped at 'hello world' any pointers
> > would be gratefully accepted.
> >
> > Yours
> >
> > Ian
> >
> > --------------------------------------------------------------
> > -------------
> > --------------------------------------------------------------
> > --------------
> >
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT