Is This My Domain Controller? A New Class of Active Directory Protocol Injection Attacks

Presented at Black Hat Europe 2021, Nov. 11, 2021, 10:20 a.m. (40 minutes).

When analyzing the security of cryptographic systems, a critical part is resiliency against eavesdroppers as well as machine-in-the-middle (MiTM) attacks. Over the years, researchers were able to break many secure protocols using MitM attacks. A common theme in this family of vulnerabilities is the lack of proper validation for any of the communicating parties.

Focusing on Active Directory environments, the most common authentication protocols are Kerberos and NTLM. We will review previous MitM attacks found on Active Directory authentication protocols and the mitigation strategies previously implemented. We will show that the relay attack technique is not limited to NTLM alone and can be used to attack the newer Kerberos authentication protocol. In addition, we will show several injection attacks compromising client systems.

We'll show how the lack of validation mistakes can lead to devastating issues ranging from authentication bypass to remote code execution on various critical infrastructure systems. However, the issues do not stop on Windows on-premises networks but span to other infrastructures such as domain-joined unix machines, virtualization infrastructure, and even cloud directories such as Azure AD.

The talk will present a technical deep-dive into multiple vulnerabilities we have discovered along with several demos. Demos include a MitM attack which allows an attacker to inject user passwords in a hybrid AD environment allowing the attacker to authenticate as any user in the network. We will also show how to use a similar technique and take over an organization virtualization infrastructure.

Presenters:

• Sagi Sheinfeld - Sr. Enginner, CrowdStrike
  Sagi Sheinfeld is a Sr. Engineer at CrowdStrike working on an Identity Protection product (previously Preempt). Sagi spent over 14 years researching cyber security projects. Previously, he served 8 years in an elite unit of the IDF in Cyber Security Research and Development and in IBM Security. Sagi is an expert on Windows internals. Sagi holds a B.Sc in Computer Science.
• Yaron Zinar - Sr. Manager, Engineering, CrowdStrike
  Yaron Zinar is a Sr. Manager at CrowdStrike working on an Identity Protection product (previously Preempt). Previously, Yaron spent over 16 years at leading companies such as Google where he held various positions researching and leading big data, machine learning, and cyber security projects. Yaron is an expert on Windows Authentication protocols and has previously presented his research at top conferences such as Black Hat and DEFCON. Yaron holds an M.Sc. in Computer Science with a focus on statistical analysis.
• Eyal Karni - Sr. Enginner, CrowdStrike
  Eyal Karni is a Sr. Engineer at CrowdStrike working on an Identity Protection product (previously Preempt). Eyal spent over 11 years researching cyber security projects. Previously, he served 5 years in an elite unit of the IDF in Cyber Security Research and Development. Eyal is an expert on Windows Internals and has previously found numerous vulnerabilities. Eyal holds a B.Sc in Mathematics and Physics.

Links:

• https://www.blackhat.com/eu-21/briefings/schedule/#is-this-my-domain-controller-a-new-class-of-active-directory-protocol-injection-attacks-24769
• https://www.blackhat.com/eu-21/briefings/schedule/#is-this-my-domain-controller-a-new-class-of-active-directory-protocol-injection-attacks-247691633365729

Similar Presentations:

• DEF CON 27 (2019) / Relaying Credentials Has Never Been Easier: How to Easily Bypass the Latest NTLM Relay Mitigations
• DEF CON 29 (2021) / Adventures in MitM-land: Using Machine-in-the-Middle to Attack Active Directory Authentication Schemes
• Black Hat USA 2021 / Zerologon: From Zero to Domain Admin by Exploiting a Crypto Bug