Last week our team returned from hacker summer camp in Las Vegas, also known as Black Hat and DEF CON. We enjoyed meeting a lot of interesting people, discussing the latest security research, and exchanging ideas. This year, we also hosted our very own workshop on leveraging Kerberos delegation primitives in elaborate attack chains. The workshop was primarily based on our “Wagging the Dog” research that we published back in January.
Kerberos is one of the cornerstones of Active Directory, which is used by most large enterprises in the world, including many of our clients. Although Kerberos is a fundamental part of Active Directory, it is also arguably the most misunderstood authentication protocol, due to its complexity. When we add the mind-bending Kerberos delegation features to the mix, few people in the security industry have managed to keep up with the latest attack techniques.
After we published “Wagging the Dog”, which is one of the more elaborate research papers on this topic, one of our consultants challenged me to explain it to my eight-year-old twin daughters. I thought it was a good idea and came up with a story about an amusement park that almost perfectly aligned with Kerberos and the most complex Kerberos delegation features. My daughters loved it and were not only able to keep up with some of the most complex Active Directory attacks; they were also able to spot security issues and anticipate attack chains before I presented them.
My next challenge was “grownups”. I polished up the presentation and headed to Las Vegas. Our workshop covered the basics of Kerberos and the different delegation primitives incrementally. We explained the rationale behind each primitive, highlighted security issues, and put together increasingly complex attack chains. The attack techniques we presented covered various tactics, such as “lateral movement”, “persistence”, and “privilege escalation”.
The workshop also included a series of hands-on exercises in a lab we created in AWS, which was comprised of over 400 servers, both domain-joined fully patched Windows Server 2019 hosts and non-domain-joined Linux hosts.
During the workshop, we also published a post titled “Gone to the Dogs”, in which we disclose a live “zero-day” local privilege escalation attack that affects all domain-joined Windows 10 hosts, as well as domain-joined Windows Server 2016 and Windows Server 2019 hosts in certain configurations. We had reported this vulnerability to Microsoft, and they failed to respond.
In this new attack chain, a malicious user with low-privileged access to an affected host can trick the host into authenticating to a rogue server using the host’s computer account. This authentication request can be relayed to a domain controller to configure a special type of Kerberos delegation to that host. Once delegation is configured, the malicious user can impersonate an administrator to the affected host and compromise it.
The following video demonstrates this attack chain:
This attack chain is very similar to another local privilege escalation attack that we published back in January as part of “Wagging the Dog”, again after reporting to Microsoft and being informed that they would not patch it. Therefore, we highlighted the issue and the controls that can be put in place to mitigate and detect this class of attacks.
We got very positive feedback on the workshop, the slide deck, and the “zero-day”, and had a lot of fun spreading the gospel of Kerberos delegation attacks.
You can download our DEF CON slide deck from here. Unfortunately, you will not be able to hear me telling the story, but we will hopefully deliver similar workshops soon.
In the meantime, we are working on some interesting red team adversary simulations and penetration tests for our clients and have a few more cutting-edge research projects that we may be able to publish soon.
If you would like to have our red team challenge your security posture and identify gaps in your defences through a penetration test or an adversary simulation, or you would like to book a private training session for your internal blue/red team, please contact us at The Missing Link.
If you liked this article, you may also like:
Wagging the dog: abusing resource-based constrained delegation to attack active directory
What is a zero-day attack and how can I protect my business?
Advanced Red Team training: The Missing Link Captures the Flag and returns triumphant
