[Bro-Dev] KRB Analyzer Pre-Auth Data

John Rollinson j.e.rollinson at gmail.com
Fri May 19 07:01:39 PDT 2017


I am working on improving Bro's ability to detect Kerberos attacks
(specifically certain instances of Skeleton Key attacks and encryption
downgrades) which requires adjusting what information Bro passes up to the
scripting layer.  Generic breakdown on some of the attacks and detection
methods can be found here (
https://www.blackhat.com/docs/eu-15/materials/eu-15-Beery-Watching-The-Watchdog-Protecting-Kerberos-Authentication-With-Network-Monitoring-wp.pdf
).

Currently, Bro treats the ETYPE_INFO and ETYPE_INFO2 parts of the KRB Error
packets the same and only extracts the password salts (if they exist).
Because all of the pre-auth data gets stored into the KRB::Type_Value_Vector
data structure, making all of the data in the ETYPE_INFO2 sections will
likely require modifying the structure of how pre-auth data is stored and
made accessible in scripts.

Is anyone currently using information from "pa_data" in any scripts
(especially the salt information from ETYPE_INFO2 fields)?  I'd like to
understand how other people are using this data currently so that I can
make sure I don't break use cases in the process.

Also, are there any recommendations for other parts of Bro's code to study
as good examples of passing back highly variable data structures?

-John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20170519/76f61197/attachment.html 


More information about the bro-dev mailing list