Loki – How ICMP Really Can be Dangerous

Overall ICMP has been viewed as quite a harmless and perhaps even trivial protocol. However that all changed with the rather nasty Loki.  In case you didn’t know Loki is from Norse mythology and he was the god of trickery and mischief.  The Loki exploit is well named and seeks to exploit the hither to benign ICMP protocol.  ICMP is intended mainly to inform users of error conditions and to make very simple requests.  It’s one of the reasons intrusion analysts and malware students tended to ignore the protocol.  Of course it could be used in rather obvious denial of service attacks but they were easily tracked and blocked.

However Loki changed that situation as it used ICMP as a tunneling protocol as a covert channel. The definition of a covert channel in these circumstances is a transport method used in either a secret or unexpected way. The transport vehicle is ICMP but Loki acts much more like a client/server application.  Any compromised host that gets a Loki server instance installed can respond to traffic and requests from a Loki client.   Which would also work if the client was spoofing their IP address to watch something like Netflix for instance – see this.  So for instance a Loki server could respond to a request to display the password file to screen or file. That could then be possibly captured and cracked by the owener of the Loki client application.

Many intrusion detection analysts would have simply ignored ICMP traffic passing through their logs.  Mainly because it’s such a common protocol but also an such an innocuous one.  Of course well read analysts will know treat such traffic with heightened suspicion, Loki really has changed the game for protocols like ICMP.

For those of us who spend many hours watching traffic Loki was a real eye opener.  You had to check those logs a little more carefully especially to watch out for those strange protocols being used in a different context.  There’s some more information on these attacks hidden on this technology blog – http://www.iplayerabroad.com/using-a-proxy-to-watch-the-bbc/.  It can take some finding though !!

 

Introduction to Kerberos Authentication

It’s one of the most widely used methods of authentication and this post will briefly introduce you to the subject. As well as being implemented into many operating systems you will find Kerberos is available in many industrial products too. Kerberos hasn’t been tested or verified. Kerberos has many crucial benefits. Kerberos has a few main flaws that system administrators want to take into consideration. Kerberos is the most frequently used example of this sort of authentication technology.

Encryption couldn’t be enabled. The encryption key is subsequently created. Transport layer encryption isn’t necessary if SPNEGO is used, but the customer’s browser has to be properly configured. This authentication is automatic in the event the domains are in the exact same forest. This sort of authentication is rather simple to understand, since it only involves two systems. There are lots of things that could fail with Kerberos authentication. If you’re failing to utilize Kerberos authentication utilizing the LocalSystem account, you’re more than likely failing to utilize Kerberos authentication when users are going to go to the remote system. It’s not only used for authenticating users, when your iPad connects through it’s VPN to watch British Channels online using your AD network it’s Kerberos that authenticates the machine.

In the event the password is incorrect, then you won’t have the ability to decrypt the message. It is extremely important that you don’t forget this password. You might be surprised how many users utilize a password that is just like their user name.

Your password isn’t a fantastic option for a password. When employing those services or those clients, you might have to put in your password, which is subsequently sent to the server. It’s very probable that this user has set the exact same password for the two principals for reasons of convenience. Ideally, you should simply have to type your password into your private computer, once, at the start of the day.

You won’t be able to administrate your server in case you do not keep in mind the master password. In case the server cannot automatically register the SPN, the SPN has to be registered manually. Its normal in order for it to take some opportunity to begin the admin server so be patient. The specified server cannot carry out the requested operation. A digital server simply suggests that it’s not a component of dedicated host. The RPC Server isn’t actively listening.

Server refused to negotiate authentication, which is needed for encryption. Before deploying Kerberos, a server has to be selected to accept the use of KDC. The network location server is a site that is utilised to detect whether DirectAccess clients are situated in the corporate network.

The client may be using an old Kerberos V5 protocol that doesn’t support initial connection support. If he is unable to get the ticket then you should see an error similar to one below. In Kerberos protocol, he authenticates against the server and also the server authenticates itself against the client. The RPC Client will send the very first packet, called the SYN packet.

If each client should happen to require a special key for each and every service, and if each service should happen to require an exceptional key for each client, key distribution could quickly come to be a challenging problem to fix. My client is not going to send the job unless it receives the right response. The client can’t decrypt the service ticket because only servers can do so, but nevertheless, it can send it on. Later he can use this ticket to get additional tickets for SS using the same shared secret. Both client and server may also be called security principals.

John Simmons
http://bbciplayerabroad.co.uk/uk-vpn-free-trial/