I am working on improving Bro’s ability to detect Kerberos attacks (specifically certain instances of Skeleton Key attacks and encryption downgrades) which requires adjusting what information Bro passes up to the scripting layer. Generic breakdown on some of the attacks and detection methods can be found here (https://www.blackhat.com/docs/eu-15/materials/eu-15-Beery-Watching-The-Watchdog-Protecting-Kerberos-Authentication-With-Network-Monitoring-wp.pdf).
Currently, Bro treats the ETYPE_INFO and ETYPE_INFO2 parts of the KRB Error packets the same and only extracts the password salts (if they exist). Because all of the pre-auth data gets stored into the KRB::Type_Value_Vector data structure, making all of the data in the ETYPE_INFO2 sections will likely require modifying the structure of how pre-auth data is stored and made accessible in scripts.
Is anyone currently using information from “pa_data” in any scripts (especially the salt information from ETYPE_INFO2 fields)? I’d like to understand how other people are using this data currently so that I can make sure I don’t break use cases in the process.
Also, are there any recommendations for other parts of Bro’s code to study as good examples of passing back highly variable data structures?
-John