Black Hat Europe资料eu-15-Beery-Watching-The-Watchdog-Protecting-Kerberos-Authentication-With-Network-Monitoring-wp.pdfVIP

WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING Authors: Tal Be’ery, Sr. Security Research Manager, Microsoft Michael Cherny, Sr. Security Researcher, Microsoft November 2015 Contents Intro 3 The Kerberos protocol 4 Kerberos Message Flow 4 The Kerberos TGT 5 Network Monitoring of the Kerberos Protocol 6 Forged Key: The Skeleton Key Malware 7 The Skeleton Key Malware Technical details 7 Kerberos Pre-Authentication 8 Network-Based Detection of the Skeleton Key Malware 10 Passive downgrade detection 10 Active downgrade detection 11 Forged Ticket: The Golden Ticket Attack 12 Attack Details 12 Network Based Detection of the Golden Ticket Attack 12 Forged PAC: The MS14-068 Attack 15 The vulnerability: PAC can be signed without the key 15 The Exploit 17 Network Based Detection of MS14-068 Forged PAC 19 Forged PAC revisited: The Diamond PAC 20 Diamond PAC Generation and Injection 20 Network Based Detection of the Diamond PAC Attack 21 Intro Being the default authentication protocol for Windows-based networks, the Kerberos protocol is a prime target for attackers, especially for APTs attackers, seeking to steal the users identity and steal secrets from the enterprises data center. Recently, it seems that hacker had progressed from merely stealing Kerberos related tokens in order to steal the identity of the domain users, to forgery attacks in order to gain even greater powers within the domain. In this document we will explore in detail three different forging techniques and how they can be detected by using Network monitoring. These forging techniques were recently used by attackers to subvert different elements of the Kerberos protocol:  Forged key: Skeleton Key  Forget Ticket: Golden Ticket  Forged PAC: MS14-068 We will also suggest the “Diamond PAC” attack, a novel variant of the Gold