Presented at
DEF CON 31 (2023),
Aug. 12, 2023, 4 p.m.
(20 minutes).
The Windows Active Directory authority and the MIT/Heimdal Kerberos stacks found on Linux/Unix based hosts often coexist in harmony within the same Kerberos realm. This talk and tool demonstration will show how this marriage is a match made in hell. Microsoft's Kerberos stack relies on non standard data to identify it's users. MIT/Heimdal Kerberos stacks do not support this non standard way of identifying users. We will look at how Active Directory configuration weaknesses can be abused to escalate privileges on *inux based hosts joined to the same Active Directory authority. This will also introduce an updated version of Rubeus to take advantage of some of these weaknesses.
REFERENCES:
* https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699
* https://www.catalyst.net.nz/blog/stay-curious-dollar-ticket-security-issue
* https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
* https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6435d3fb-8cf6-4df5-a156-1277690ed59c
Presenters:
-
Ceri Coburn
- Red Team Operator & Offensive Security Dev at Pen Test Partners
After a 20 career within the software development space, Ceri was looking for a new challenge and moved into pen testing back in 2019. During that time he has created and contributed to several open source offensive tools such as Rubeus, BOFNET and SweetPotato and on the odd occasion contributed to projects on the defensive side too. He current works as a red team operator and offensive security dev at Pen Test Partners.
Links:
Similar Presentations: