Elevating Kerberos to the Next Level

Security

Explore the vulnerabilities of the Kerberos authentication protocol and learn how to elevate it to the next level of security, including preventing attacks, impersonation, and privilege escalation.

Key takeaways

Kerberos authentication is vulnerable to attacks due to the use of a default domain admin group and lack of pack validation.
The LSA (Local Security Authority) handles Kerberos authentication and can provide the session key, but it is not designed to do so in a secure manner.
The use of a “silver ticket” attack can bypass UAC (User Account Control) and allow for privilege escalation.
The LSAP function can be used to apply the loopback session ID to a credentials handle, allowing for the creation of a fake credentials handle.
The use of KDC (Key Distribution Center) pinning can help to prevent the use of loops in the Kerberos protocol.
The Kerberos protocol uses a hashing algorithm to verify the integrity of the ticket-granting ticket.
The use of a session key can be used to unlock the pack and modify the group reads.
The LSA process can be used to create a fake AP request and Build an LSAP residue.
The use of a fake credentials handle can be used to impersonate the user and gain administrative privileges.
The Kerberos protocol is not designed to handle the use of loops, and the use of KDC pinning can help to prevent this type of attack.
The use of a “TGT delegate” attack can be used to impersonate the user and gain administrative privileges.
The use of a “unconstrained delegation TGT extraction” attack can be used to gain administrative privileges.
The LSA process can be used to create a fake AP request and build an LSAP residue.
The use of a LSAP function can be used to apply the loopback session ID to a credentials handle.

Elevating Kerberos to the Next Level

More talks