Elevating Kerberos to the Next Level

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes).

Kerberos is the primary authentication protocol for on-premise Windows enterprise networks. As it's so crucial for enterprise security a lot of research has focused on exploiting it for remote access and lateral movement such as the well known Golden/Silver ticket attacks. Comparatively, little research has been undertaken on the implications of Kerberos for security on the local machine, especially for privilege escalation.

This presentation is a deep dive into the inner workings of Kerberos as it applies to local authentication and some of the unusual behaviors to be found within. We'll describe the security issues we've discovered, including authentication bypasses, sandbox escapes and arbitrary code execution in privileged processes.

We'll be releasing tooling to inspect and manipulate the state of the Kerberos authentication protocol on the local system so that you can perform your own research. Finally, we'll provide configuration changes that can be used to mitigate some of the by-design security issues that have been presented.


Presenters:

  • James Forshaw - Security Researcher, Google Project Zero
    James Forshaw is a security researcher in Google's Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he's been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He's also the author of the book "Attacking Network Protocols" available from NoStarch Press.
  • Nick Landers - Head of Adversarial R&D, NetSPI
    Nick Landers is Head of Adversarial R&D at NetSPI. His work involves training, consulting, malware development, and security research. He has authored and presented the "Dark Side Ops" course series for over 6 years at Black Hat, privately, and at various industry conferences. Internally, he develops tooling, processes, and strategies for offensive operations.

Links:

Similar Presentations: