ActiveDirectoryandNTKerberos-BlackHat活动和NTKerberos黑色的帽子

上传人:e****s 文档编号:252552362 上传时间:2024-11-17 格式:PPT 页数:22 大小:242KB
返回 下载 相关 举报
ActiveDirectoryandNTKerberos-BlackHat活动和NTKerberos黑色的帽子_第1页
第1页 / 共22页
ActiveDirectoryandNTKerberos-BlackHat活动和NTKerberos黑色的帽子_第2页
第2页 / 共22页
ActiveDirectoryandNTKerberos-BlackHat活动和NTKerberos黑色的帽子_第3页
第3页 / 共22页
点击查看更多>>
资源描述
Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Active Directory and NT Kerberos,Rooster,JD Glaser,Introduction to NT Kerberos v5,What is NT Kerberos?,How is it different from NTLM,NT Kerberos vs MIT Kerberos,Delegation and Client Authentication,What does NT Kerberos look like on the wire?,KTNet-A native NT Kerberos telnet server,What is NT Kerberos,NTs new authentication system,MIT Kerberos v5-an Open Standard,Kerberos is the default authenticator in W2K domains,NTLM still used for compatibility,usually the weakest version,How is it different from NTLM,Doesnt use a password hash system,Requires fewer authentication calls,More sophisticated-Yes,More secure?-Possibly in pure mode,Backwards compatibility hinders it,NTLM v2 is strong in pure mode as well,NT Kerberos,Integrated with platform,Locates KDC via DNS-DNS server required for install,No support for DCE style cross-realm trust,No“raw krb5 API,Postdated tickets(not implemented),Uses authdata field in ticket,Windows 2000 Kerberos standards,RFC-1510,Kerberos change password protocol Kerberos set password protocolRC4-HMAC Kerberos Encryption type,PKINIT,Kerberos Interoperability Scenarios,Kerberos clients in a Win2000 domain,Kerberos servers in a Win2000 domain,Standalone Win2000 systems in a Kerberos realm,Using a Kerberos realm as a resource domain,Using a Kerberos realm as an account domain,MIT Kerberos Differences,Win2000,Clients,Just logon,Just logoff,Domain membership,Example app:everything,Servers,Use computer account via SCM,MIT,Clients,User logon with kinit,User logoff with kdestroy,Configured with/etc/krb5.conf,Example app:telnet,Servers,Do not logon use saved keys from keytab,Using Kerberos clients,Customer wants to have its non-windows Kerberos users use their Win2000 accounts,Setup the/etc/krb5.conf,Users kinit with their Win2000 account,Windows 2000 Server,Unix workstation,Using Kerberos servers,Customer wants to user their Kerberos enabled database server in an n-tier application front-ended by IIS,/etc/krb5.conf on database server,Create service account in domain,Use ktpass to export a keytab,Copy keytab to database server,IIS server is trusted for delegation,Windows 2000 IIS Server,Unix Database Server,Windows 2000 Wks,Kerberos realm as an account domain,User logon with Kerberos principal,User has shadow account in an account domain(for applying authz),Mapping is used at logon for domain identity,Domain trusts realm users,userwin2k.domain (userMIT.REALM.COM),Standalone Win2000 computers,An employee has a Win2000 computer that they want to use in a Kerberos realm,Configure system as standalone(no domain),Use Ksetup to configure the realm,Use Ksetup to establish the local account mapping,Logon to Kerberos realm,Win2000,Linux/Unix,Trusting a Kerberos realm,Win2000 users accessing services in Kerberos realms,Kerberos users accessing services in domains,Domain,Domain,Domain,Domain,Explicit Windows NT 4.0-style trust,Domain,microsoft,Kerberos trust,Windows 2000 Domain Trusts,Kerberos realm,Explicit Kerberos trust,Shortcut trust,Cross-domain Authentication,Windows 2000 Professional,Windows 2000 Server,company,KDC,KDC,1,TGT,2,TGT,3,TGT,4,TICKET,Using Unix KDCs withWindows 2000 Authorization,Win2000 Professional,Windows 2000 Server,COMPANY.REALM,MITKDC,Windows 2000KDC,1,TGT,2,TGT,Name Mapping to NT account,3,TICKET,4,TICKET,With NT Auth Data,NT Kerberos vs MIT Kerberos,NT caches the password for ticket renewal,Its not certain whether NT uses ticket caching tracking stolen replay tickets,Kerberos v5 Ticket Details,Delegation and Client Authentication,NT Kerberos On The Wire,Thank you,Appendix,John Brezak,PM-Microsoft,Kerberos Talk-MTB 99,
展开阅读全文
相关资源
正为您匹配相似的精品文档
相关搜索

最新文档


当前位置:首页 > 商业管理 > 商业计划


copyright@ 2023-2025  zhuangpeitu.com 装配图网版权所有   联系电话:18123376007

备案号:ICP2024067431-1 川公网安备51140202000466号


本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。装配图网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知装配图网,我们立即给予删除!