Access Denied: Cracking Kerberos Packets

Can you sniff Kerberos packets and crack them to obtain the user's password, as you can by using @stake's LC4 on Windows NT LAN Manager (NTLM) packets?

Although stronger than NTLM, Kerberos is still based on user passwords. A weak user password remains vulnerable even if your Windows XP or Windows 2000 workstation uses Kerberos to authenticate to the domain controller (DC). Arne Vidstrom wrote a Kerberos sniffer and cracker, KerbCrack (, that demonstrates this vulnerability.

You have a few options for protecting yourself from attackers who might sniff and crack NTLM or Kerberos authentication traffic either on your intranet or on the Internet. One option is to try to convince your users to select strong, hard-to-guess passwords, enforce minimum password lengths and password complexity, then back up those measures by periodically using a password cracker such as LC4 to audit password strength. However, this method is a lot of work and usually isn't successful because users resist selecting strong passwords. Some organizations try to secure their internal networks against password sniffing by implementing a fully switched network so that each computer receives only the packets destined for it. However, attackers can use Address Resolution Protocol (ARP) redirects to sniff across switches or can hack switches.

The best solution available is to eliminate NTLM by upgrading all computers to XP or Win2K, then eliminate Kerberos-associated password risks by implementing smart cards for interactive logon. Win2K has good Plug and Play (PnP) support for smart card readers and uses the PKINIT Kerberos extension, which replaces passwords with public/private keys for the initial ticket-granting ticket (TGT) that the workstation obtains when the user initially logs on.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.