Walking the Bifrost: An operator's guide to Heimdal and Kerberos on macOS

Presented at Objective by the Sea version 3.0 (2020), March 12, 2020, 1:45 p.m. (50 minutes)

Credentials are more than just passwords. Kerberos is more than just Windows Active Directory. This talk goes into the inner workings of macOS's Heimdal implementation of Kerberos, credential caches, keytabs, hashes, tickets, and authentication mechanisms. We will walk through how Kerberos works, how Active Directory joined macOS endpoints can be leveraged from an offensive perspective, and how defenders can start looking for these techniques. Finally, we'll do a deep dive into the LKDC - the local key distribution center located on every macOS endpoint since 10.5 and how that can be leveraged from an offensive perspective when a mac is NOT joined to an Active Directory domain. All techniques covered in the talk will be available in an open source tool called Bifrost which leverages native Kerberos APIs without the need for Python or scripting languages.

Presenters:

• Cody Thomas - Red Team Operator & Developer Specter Ops
  Cody Thomas is a red team operator and developer focusing on macOS and *nix devices. He created the initial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team at MITRE. Cody has spoken at a few conferences and works on his open source framework for Red Teaming called Apfell.

Links:

• https://objectivebythesea.org/v3/content.html#cThomas
• https://objectivebythesea.org/v3/talks/OBTS_v3_cThomas.pdf

Similar Presentations:

• DEF CON 23 (2015) / Red vs. Blue: Modern Active Directory Attacks & Defense
• Black Hat USA 2014 / Abusing Microsoft Kerberos: Sorry You Guys Don't Get It
• Black Hat USA 2015 / Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection