44CON2022

Kerberos is the primary network authentication protocol for on-premise Windows enterprise networks. As it’s so crucial for enterprise security a lot of research has focused on exploiting it for remote access and lateral movement such as the well known Golden/Silver ticket attacks. Comparatively little research has been undertaken on the implications of Kerberos for security on the local machine especially for privilege escalation.

One of the difficulties of dealing with Kerberos to find interesting vulnerabilities is its complex nature. There’s existing tools such as Kekeo and Rubeus but they don’t lend themselves well to playing around with Kerberos artifacts. Therefore I have my own tool set as part of the NtObjectManager PowerShell module which exposes the majority of Kerberos to scripts.

This presentation is an overview of the tooling that I’ve written to play with Kerberos and a deep dive into some bugs that I’ve discovered using them.