Walking Your Dog in Multiple Forests - Breaking AD Trust Boundaries through Kerberos Vulnerabilities

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 2:20 p.m. (40 minutes).

In larger enterprise environments multiple Active Directory forests are often in use to separate different environments or parts of the business. To enable integration between the different environments, forests trusts are set up. The goal of this trust is to allow users from the other forest to authenticate while maintaining the security boundary that an Active Directory forest offers. In 2018, this boundary was broken through default delegation settings and Windows features with unintended consequences. In 2019 the security boundary was once again established through a set of changes in Active Directory. This research introduces a vulnerability in Kerberos and forest trusts that allows attackers to break the trust once again. The talk will provide technical details on how Kerberos works over forest trusts and how the security boundary is normally enforced. Then the talk will discuss a flaw in how AD forest trusts operate and how this can be combined with a vulnerability in the Windows implementation of Kerberos to take over systems in a different forest (from a compromised trusted forest). The talk will be accompanied by a proof-of-concept and a demonstration of abusing the vulnerability.


Presenters:

  • Dirk-jan Mollema - Security Expert, Fox-IT
    Dirk-jan Mollema is one of the core researchers of Active Directory and Azure AD at Fox-IT. Amongst the open source tools published to advance the state of AD research are aclpwn, krbrelayx, mitm6 and a Python port of BloodHound. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He is also co-author of ntlmrelayx and contributor to several other open source tools and libraries. He presented previously at TROOPERS, DEF CON and BlueHat and was part of the 75 MSRC most valuable researchers 2018/2019 through his Azure AD research.

Links:

Similar Presentations: