Attacks: Man in the Middle

This lesson explains the man in the middle attack vulnerability in Kerberos.

A man-in-the-middle attack, also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. In the case of Kerberos, the attacker is placed between the KDC and the client and tries to spoof the client into thinking that they are the real KDC.

Mounting a man-in-the-middle attack when Kerberos protocol is in place is slightly complicated and was first reported by Dug Song. Note that Kerberos was designed with the ability to run in an untrusted network. The two parties at each end mutually authenticate each other and the possibility of a man in the middle attack doesn’t arise. However, some applications (e.g., PAM modules in Unix) rely on receiving the TGT to authenticate a user and don’t complete the other ticket exchanges in the protocol, e.g., login service authenticating a user to a machine. The user enters their password, P, and an AS_REQ message is sent to KDC. When the response, AS_REP, is received, it is decrypted using the key derived from the user’s password, P. If the decryption is successful, the user is authenticated to the machine.

However, this approach has flaws, as the following sequence demonstrates:

  1. The attacker is in possession of a valid username but doesn’t know the password.

Get hands-on with 1200+ tech skills courses.