Tweet
Title: Constructing Kerberos Attacks with Delegation Primitives
Instructor: Elad Shamir & Matt Bush
Abstract: Kerberos delegation is a dangerously powerful feature that allows services to impersonate users. Due to the complexity of Kerberos delegation attacks, they are often overlooked or left unexplored. However, the introduction of Resource-based Constrained Delegation substantially widens the Kerberos attack surface, making it more important than ever for security professionals to engage with this challenge. This workshop will offer security professionals a deep dive into Kerberos delegation and demonstrate how it can be abused for privilege escalation and lateral movement.
We will open with a crash-course in Microsoft’s Kerberos implementation and its delegation features, from the fundamentals of Kerberos authentication, through legacy unconstrained delegation, to classic constrained delegation. We will offer demos and hands-on labs to experiment with abusing these features.
In the second half of the workshop, we will cover resource-based constrained delegation, explain the differences between classic constrained delegation and resource-based constrained delegation, and explore novel attack primitives including:
- Compromising hosts by modifying Active Directory computer objects
- Bypassing restrictions on protocol transition to impersonate arbitrary users
- Compromising a host by abusing the ticket-granting-ticket of a computer account
- Performing local privilege escalation on Windows 10 and Windows Server 2016/2019 hosts by abusing account profile pictures
- Performing remote code execution on SQL Servers through directory listing abuse
- Achieving hostless domain persistence
Participants will get an opportunity to try the above attacks in a lab environment.
We will also explore mitigating controls, as well as detection opportunities.
Level: Intermediate
Pre-Requisites: Basic familiarity of Windows and Active Directory environments
Required Materials: A laptop with the ability to connect to a VPN and establish an RDP connection with a remote host.
Instructor: Elad Shamir & Matt Bush
Abstract: Kerberos delegation is a dangerously powerful feature that allows services to impersonate users. Due to the complexity of Kerberos delegation attacks, they are often overlooked or left unexplored. However, the introduction of Resource-based Constrained Delegation substantially widens the Kerberos attack surface, making it more important than ever for security professionals to engage with this challenge. This workshop will offer security professionals a deep dive into Kerberos delegation and demonstrate how it can be abused for privilege escalation and lateral movement.
We will open with a crash-course in Microsoft’s Kerberos implementation and its delegation features, from the fundamentals of Kerberos authentication, through legacy unconstrained delegation, to classic constrained delegation. We will offer demos and hands-on labs to experiment with abusing these features.
In the second half of the workshop, we will cover resource-based constrained delegation, explain the differences between classic constrained delegation and resource-based constrained delegation, and explore novel attack primitives including:
- Compromising hosts by modifying Active Directory computer objects
- Bypassing restrictions on protocol transition to impersonate arbitrary users
- Compromising a host by abusing the ticket-granting-ticket of a computer account
- Performing local privilege escalation on Windows 10 and Windows Server 2016/2019 hosts by abusing account profile pictures
- Performing remote code execution on SQL Servers through directory listing abuse
- Achieving hostless domain persistence
Participants will get an opportunity to try the above attacks in a lab environment.
We will also explore mitigating controls, as well as detection opportunities.
Level: Intermediate
Pre-Requisites: Basic familiarity of Windows and Active Directory environments
Required Materials: A laptop with the ability to connect to a VPN and establish an RDP connection with a remote host.
Comment