Presented at
DEF CON 29 (2021),
Aug. 7, 2021, 4 p.m.
(45 minutes).
Over the years, researchers were able to break many secure protocols using MitM attacks. A common theme in this family of vulnerabilities is the lack of proper validation for any of the communicating parties. We will review previous MitM attacks found on AD authentication protocols and the mitigation strategies previously implemented. We will show that the relay attack technique is not limited to NTLM alone and can be used to attack the newer Kerberos authentication protocol. In addition, we will show several injection attacks compromising client systems. We'll show how the lack of validation can lead to devastating issues ranging from authentication bypass to remote code execution on various critical infrastructure systems. However, the issues do not stop on Windows on-premises networks but span to other infrastructure such as domain-joined unix machines, virtualization infrastructure, open-source security audit tools and even cloud directories. The talk will deep-dive into multiple vulnerabilities we have discovered along with several demos. Demos include a MitM attack which allows an attacker to inject user passwords in a hybrid AD environment allowing the attacker to authenticate as any user in the network. We will also show how to use a similar technique to compromise many other IT infrastructure.
REFERENCES:
https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
https://labs.f-secure.com/archive/practically-exploiting-ms15-014-and-ms15-011/
https://www.securityfocus.com/bid/1616/info
Presenters:
-
Sagi Sheinfeld
- Sr. Engineer, CrowdStrike
Sagi Sheinfeld is a Sr. Engineer at CrowdStrike working on Identity Protection products (previously Preempt). Sagi spent over 14 years researching cyber security projects. Previously, he served 8 years in an elite unit of the IDF in Cyber Security Research and Development and in IBM Security. Sagi is an expert on Windows internals. Sagi holds a B.Sc in Computer Science.
@sagish1233
-
Eyal Karni
- Sr. Engineer, CrowdStrike
Eyal Karni is a Sr. Engineer at CrowdStrike working on Identity Protection products (previously Preempt). Eyal spent over 11 years researching cyber security projects. Previously, he served 5 years in an elite unit of the IDF in Cyber Security Research and Development. Eyal is an expert on Windows Internals and has previously found numerous vulnerabilities. Eyal holds a B.Sc in Mathematics and Physics.
@eyal_karni
-
Yaron Zinar
- Sr. Manager, Engineering, CrowdStrike
Yaron Zinar is a Sr. Manager at CrowdStrike working on Identity Protection products (previously Preempt). Previously, Yaron spent over 16 years at leading companies such as Google where he held various positions researching and leading big data, machine learning and cyber security projects. Yaron is an expert on Windows Authentication protocols and has previously presented his research at top conferences such as Black Hat and DEFCON. Yaron holds an M.Sc. in Computer Science with focus on statistical analysis.
@YaronZi
Links:
Similar Presentations: