Breaking AD Trust Boundaries through Kerberos Vulnerabilities

Logo
Presented by

Dirk-jan Mollema, Core researcher of Active Directory and Azure AD Fox-IT // Jeff Deininger, Principal Cloud SE, ExtraHop

About this talk

In larger enterprise environments multiple Active Directory forests are often in use to separate different environments or parts of the business. To enable integration between the different environments, forests trusts are set up. The goal of this trust is to allow users from the other forest to authenticate while maintaining the security boundary that an Active Directory forest offers. In 2018, this boundary was broken through default delegation settings and Windows features with unintended consequences. In 2019 the security boundary was once again established through a set of changes in Active Directory. This research introduces a vulnerability in Kerberos and forest trusts that allows attackers to break the trust once again. The talk will provide technical details on how Kerberos works over forest trusts and how the security boundary is normally enforced. Then the talk will discuss a flaw in how AD forest trusts operate and how this can be combined with a vulnerability in the Windows implementation of Kerberos to take over systems in a different forest (from a compromised trusted forest). The talk will be accompanied by a proof-of-concept and a demonstration of abusing the vulnerability.

Related topics:

More from this channel

Upcoming talks (1)
On-demand talks (186)
Subscribers (9680)
The prevention and protection model of cybersecurity isn’t working: between the cloud, IoT, and the sheer pace of change, the enterprise is no longer built to be walled in. This channel provides educational webinars to help SecOps (SOC) and NetOps (NOC) teams, from CIOs and CISOs to analysts and practitioners, change their perspective in order to identify, investigate, and respond to threats across the modern attack surface. We explore how cloud-native network detection and response (NDR) provides the complete visibility, real-time threat detection, and intelligent response you need to secure your hybrid environment. You’ll also find product information about ExtraHop Reveal(x) which enables you to: Eliminate blind spots: Cover 100% of your hybrid environment, Detect what matters: Find threats 95% faster, and Act quickly: Respond to breaches 70% faster. Learn more at www.extrahop.com