Shared posts

02 Jun 16:03

NTLM vs KERBEROS

by Nuno-Tavares

NTLM vs KERBEROS

(WWW)

 

 

Podemos interpretar este post como os três W's, um para cada capítulo.

Vamos passar pelos conceitos basicos do NTLM e do Kerberos. Quais são as principais diferenças entre eles, como funciona o fluxo e como podemos identificar qual protocolo está sendo usado.

Então, sem mais demora. Aqui vai a história ...

 

 

Capítulo 1

The What:

 

O que é o NTLM?
O NTLM é um protocolo de autenticação. Era o protocolo padrão usado nas versões antigas do Windows, mas ainda é usado hoje. Se por algum motivo o Kerberos falhar, o NTLM será usado.
O NTLM possui um mecanismo de desafio / resposta.
Aqui está como funciona o fluxo NTLM:

1 - Um usuário acessa um computador cliente e fornece um nome de domínio, um nome de usuário e uma senha.
O cliente calcula um hash criptográfico da senha e descarta a senha real. O cliente envia o nome do usuário para o servidor (em texto sem formatação).

2 - O servidor gera um número aleatório de 16 bytes, chamado desafio, e o envia de volta ao cliente.

3 - O cliente criptografa esse desafio com o hash da senha do usuário e retorna o resultado para o servidor. Isso é chamado de resposta.

4 - O servidor envia os três itens a seguir para o controlador de domínio:
- Nome do usuário
- Desafio enviado ao cliente
- Resposta recebida do cliente

5 - O controlador de domínio usa o nome de usuário para recuperar o hash da senha do usuário. Ele compara o desafio criptografado com a resposta do cliente (na etapa 4). Se eles forem idênticos, a autenticação será bem-sucedida e o controlador de domínio notificará o servidor.

6 - O servidor envia a resposta apropriada de volta ao cliente.

 

O que é o Kerberos?
O Kerberos é um protocolo de autenticação. É o protocolo de autenticação padrão nas versões do Windows acima do W2k, substituindo o protocolo de autenticação NTLM.
Aqui está como o fluxo do Kerberos funciona:

1 - Um usuário loga na máquina cliente. O cliente faz um pedido de texto simples (TGT). A mensagem contém: (ID do usuário; ID do serviço solicitado (TGT); O endereço de rede do cliente (IP); tempo de vida da validação)

2 - O servidor de autenticação verificará se o usuário existe no banco de dados do KDC. Se o usuário for encontrado, ele gerará aleatoriamente uma chave (chave de sessão) para uso entre o usuário e o Servidor de Concessão de Ticket (TGS). O servidor de autenticação enviará duas mensagens de volta para o cliente: - Um é criptografado com a chave secreta do TGS. - Um é criptografado com a chave secreta do cliente.

NOTA: A chave de sessão TGS é a chave compartilhada entre o cliente e o TGS. A chave secreta do cliente é o hash das credenciais do usuário (nome de usuário + senha).

3 - O cliente descriptografa a chave e pode fazer logon, fazendo o cache localmente. Ele também armazena o TGT criptografado em seu cache. Ao acessar um recurso de rede, o cliente envia uma solicitação ao TGS com o nome do recurso que ele deseja acessar, o ID do usuário / registro de data e hora e o TGT em cache.

4 - O TGS descriptografa as informações do usuário e fornece um tíquete de serviço e uma chave de sessão de serviço para acessar o serviço e enviá-lo de volta ao Cliente depois de criptografado.

5 - O cliente envia o pedido para o servidor (criptografado com o tíquete de serviço e a chave de sessão)

6 - O servidor descriptografa o pedido e, se for genuíno, fornece acesso ao serviço.

 

 

Capítulo 2

The When:

 

Como podemos identificar quando estamos usando o NTLM ou o Kerberos?
Podemos confirmar a autenticação sendo usada pela simples coleta de um Fiddler. No Fiddler, podemos ver os pedidos sendo feitos nos Inspetores / Cabeçalhos:

Kerberos:

NTLM:

 

Se a solicitação iniciar com o Kerberos e falhar, o NTLM será usado. Podemos ver a resposta nos cabeçalhos também:

 

Quais são as dependências do Kerberos?
Tanto o cliente quanto o servidor precisam estar executando o W2k ou versões posteriores e estar no mesmo domínio ou confiável.
Um SPN precisa existir no AD para a conta de domínio em uso para executar o serviço no qual o cliente está sendo autenticado.

 

 

Capítulo 3

The Why:

Os hashes NTLMv1 podem ser quebrados em segundos com a computação de hoje, pois eles têm sempre o mesmo tamanho e não são salted.
O NTLMv2 é um pouco melhor, desde o tamanho variável e o hash salted, mas não muito melhor. Mesmo que o hash seja salted antes de ser enviado, ele é salvo unsalted na memória de uma máquina.
E claro, quando falamos sobre o NTLM, falamos sobre um mecanismo de desafio / resposta, que expõe sua senha ao cracking off-line ao responder ao desafio.

O Kerberos fornece várias vantagens sobre o NTLM:
- Mais seguro: Nenhuma senha armazenada localmente ou enviada pela rede.
- Melhor desempenho: desempenho aprimorado em relação à autenticação NTLM.
- Suporte à delegação: os servidores podem representar clientes e usar o contexto de segurança do cliente para acessar um recurso.
- Gerenciamento de confiança mais simples: evita a necessidade de ter relações de confiança p2p em ambientes de vários domínios.
- Suporta MFA (Multi Factor Authentication)

 

O fim

11 Nov 22:18

Study Finds Robot Surgeons Are Actually Slower and More Expensive

by EditorDavid
"Robot-assisted surgery costs more time and money than traditional methods, but isn't more effective, for certain types of operations," reports the Register, in an article shared by schwit1: In a study of almost 24,000 laparoscopic surgeries just published in The Journal of American Medicine, researchers from Stanford University School of Medicine analyzed data from 416 hospitals around the U.S. from 2003 to 2015. Robotic assistance provides 3D-visualization, a broader range of motion for instruments, and better ergonomics for physicians, according to the study. While it has advantages in scenarios where a high-degree of precision is required or where improved outcomes have been demonstrated (like radical prostatectomy), it appears to be a waste of resources for the two operations examined... But the patient outcomes were more or less the same. A thematically-related economic study presented by the National Bureau for Economic Research on Monday suggests that while AI and machine learning have received substantial investment over the past five years and have been widely touted as a transformative technologies, "there is little sign that they have yet affected aggregate productivity statistics... The simplest possibility is that the optimism about the potential technologies is misplaced and unfounded," muse Erik Brynjolfsson and Daniel Rock (MIT), Chad Syverson (University of Chicago) in the paper. But instead the paper's author suggest that fully realizing the benefits of AI "will require effort and entrepreneurship to develop the needed complements, and adaptability at the individual, organizational, and societal levels to undertake the associated restructuring."

Share on Google+

Read more of this story at Slashdot.

21 Sep 19:28

09/15/17 PHD comic: 'Inner Gollum'

Piled Higher & Deeper by Jorge Cham
www.phdcomics.com
Click on the title below to read the comic
title: "Inner Gollum" - originally published 9/15/2017

For the latest news in PHD Comics, CLICK HERE!

01 Sep 01:06

Penny-Farthing: The Main Vehicle of Men in the Last Half of the 19th Century

by Alogueben
The penny-farthing, also known as a high wheel, high wheeler and ordinary, is a type of bicycle with a large front wheel and a much smaller rear wheel. It was popular after the boneshaker until the development of the safety bicycle in the 1880s. It was the first machine to be called a "bicycle".

Although the trend was short-lived, the penny-farthing became a symbol of the late Victorian era. Its popularity also coincided with the birth of cycling as a sport.

These interesting photos that show men with their penny-farthings from the last half of the 19th century.






See more »
01 Sep 00:55

Six Feet Above

by boulet
20 Aug 02:59

16-01-2017

by noreply@blogger.com (Laerte Coutinho)

30 Jun 12:56

by Loading Artist

02 May 16:54

Saturday Morning Breakfast Cereal - Monty Hall Problems

by tech@thehiveworks.com


Click here to go see the bonus panel!

Hovertext:
Actually, pretty much everything beyond intro calculus is run by goblins.

New comic!
Today's News:
23 Dec 03:33

petitesaretes: I made a comic about every comment thread under...

by madgastronomer










petitesaretes:

I made a comic about every comment thread under any content involving a fat person existing. Ever.
This counts as my inktober #1 because I spent way more time on it than I should have.

05 Nov 16:09

Live the Dream

by Doug
05 Sep 12:47

dustinteractive: Drone wars in Tokyo









dustinteractive:

Drone wars in Tokyo

27 Jan 13:52

Tie

by admin

Tie

16 Nov 12:10

Os fortes

by Will Tirando

fortes marombados inteligência inteligentes sabedoria entenderão suplemento whey

16 Nov 12:10

Tumblr | bc5.jpg

bc5.jpg
16 Nov 12:00

Viva Intensamente # 231

by Will Tirando

cão cachorro espaço foguete marte urina marcar território nasa robô

16 Nov 11:59

The Most Amazing Halloween Costume Ever by Doctor Popular











The Most Amazing Halloween Costume Ever by Doctor Popular

16 Nov 11:52

Photo



16 Nov 11:49

(via Andy H.)



(via Andy H.)

24 Aug 20:19

Photo

Jagripino

Sounds legit



24 Aug 19:51

RT @juliana_m: Eu nunca vou perdoar a Google por ter matado o reader. Nunca passou...

by Pai Osias
Jagripino

Nunquinha

800px-Coturnix_coturnix_eggs_normal.jpg
Author: Pai Osias
Source: Mobile Web (M2)
RT @juliana_m: Eu nunca vou perdoar a Google por ter matado o reader. Nunca passou de doer.
26 Jun 14:26

you-want-this-url-huh: nickxdee: THIS IS NEVER NOT FUNNY i...











you-want-this-url-huh:

nickxdee:

THIS IS NEVER NOT FUNNY

i really thought they were talking about colons at first

26 Jun 14:24

El de Iron Man es mi favorito por @The_False_Joker


26 Jun 14:16

Evensong

Vespers

 Expaded from Oglaf's feed by Oglaf comic's expander.

28 May 12:58

Captain Metaphysics and the Wizard of Elea




Plus, everyone knows it's a stupid thought experiment anyway.
28 May 12:55

A Softer World: 1239


buy this comic as a print!
Or share on: facebookreddit
If you enjoy the comic, please consider supporting A Softer World on Patreon
28 May 12:54

2 for 1 drinks this week at QWOP tavern.



2 for 1 drinks this week at QWOP tavern.

28 May 12:54

hopes

by Lunarbaboon

Buy the book and help the ugly man behind this comic... http://lunarbaboon.bigcartel.com/

14 May 12:24

"Get a rat and put it in a cage and give it two water bottles. One is just water, and one is water..."

Get a rat and put it in a cage and give it two water bottles. One is just water, and one is water laced with either heroin or cocaine. If you do that, the rat will almost always prefer the drugged water and almost always kill itself very quickly, right, within a couple of weeks. So there you go. It’s our theory of addiction.

Bruce comes along in the ’70s and said, “Well, hang on a minute. We’re putting the rat in an empty cage. It’s got nothing to do. Let’s try this a little bit differently.” So Bruce built Rat Park, and Rat Park is like heaven for rats. Everything your rat about town could want, it’s got in Rat Park. It’s got lovely food. It’s got sex. It’s got loads of other rats to be friends with. It’s got loads of colored balls. Everything your rat could want. And they’ve got both the water bottles. They’ve got the drugged water and the normal water. But here’s the fascinating thing. In Rat Park, they don’t like the drugged water. They hardly use any of it. None of them ever overdose. None of them ever use in a way that looks like compulsion or addiction. There’s a really interesting human example I’ll tell you about in a minute, but what Bruce says is that shows that both the right-wing and left-wing theories of addiction are wrong. So the right-wing theory is it’s a moral failing, you’re a hedonist, you party too hard. The left-wing theory is it takes you over, your brain is hijacked. Bruce says it’s not your morality, it’s not your brain; it’s your cage. Addiction is largely an adaptation to your environment.

[…]

We’ve created a society where significant numbers of our fellow citizens cannot bear to be present in their lives without being drugged, right? We’ve created a hyperconsumerist, hyperindividualist, isolated world that is, for a lot of people, much more like that first cage than it is like the bonded, connected cages that we need. 

The opposite of addiction is not sobriety. The opposite of addiction is connection. And our whole society, the engine of our society, is geared towards making us connect with things. If you are not a good consumer capitalist citizen, if you’re spending your time bonding with the people around you and not buying stuff—in fact, we are trained from a very young age to focus our hopes and our dreams and our ambitions on things we can buy and consume. And drug addiction is really a subset of that.



-

Johann Hari,

Does Capitalism Drive Drug Addiction?

(via bigfatsun)

As a recovering addict this is an interesting read. I’m constantly battling right-wingers telling me it’s my fault and always being told by doctors it’s in my nature. But hearing this about my environment makes a lot of sense, I fell into addiction in a very bad time in my life when I was very isolated, and most of the addicts I know are the same. Addiction is definitely related to depression and this is affected by environment. I like this article.

(via soymilkbitch)

Bruce Alexander did the Rat Park experiments in the seventies.  I am kind of horrified and outraged that I’ve heard about the empty-cage rat experiments but never once about his.

(via animatedamerican)

13 May 15:07

Vatican agrees first treaty with State of Palestine 'disappointing' Israel - Daily Mail

Jagripino

Oh boo hoo.


Daily Mail

Vatican agrees first treaty with State of Palestine 'disappointing' Israel
Daily Mail
The Vatican is preparing to sign a treaty which will recognise the state of Palestine on paper for the first time ahead of Pope Francis meeting the country's President, Mahmoud Abbas. The treaty, which is being drawn up by a group called the Bilateral ...
Vatican recognises State of Palestine: Does this mean Israel is becoming more ...The Independent
Vatican agrees first treaty with State of Palestine, solidifying relationshipReuters
No solution for Palestinian refugees without justice for Jewish onesi24news
New York Times
all 550 news articles »
13 May 00:07

One factor behind falling share of Americans who call themselves Christian

Jagripino

The Pew survey found that those unaffiliated with a faith tradition are now the second-largest religious demographic group after Evangelicals, with about 23 percent of the population. Among these, atheists and agnostics have jumped from 4 percent of the population in 2007 to more than 7 percent of the population in 2014, and most have more liberal political views.

In 2007, more than 78 percent of Americans said they practiced some form of Christianity. Today, in apparently the lowest figure in US history, 70.6 percent identify as Christians, according to a new Pew study.