Taking Kerberos To

The Next Level

James Forshaw | @tiraniddo

● Researcher @ Google Project Zero

● Specialize in Windows
○ Local Privilege Escalation
○ RPC/COM Internals
○ Token manipulation
● NtApiDotNet | D2J | OleViewDotNet

“Never met a logical vulnerability I didn’t like.”

Nick Landers | @monoxgas

● Adversarial R&D @ NetSPI

● Also specialize in Windows
○ Offensive tooling suites
○ Payload architectures
○ Vulnerability research
● sRDI | Dark Side Ops

“Your Prod is our Dev.”

 Assumptions
You understand the basics of Kerberos

You’re (somewhat) familiar with existing

remote attacks

You want to see some local privilege

escalation (LPE)
Talking to Yourself
can be good for you
 Local Kerberos Authentication

ABC.REALM KDC.REALM

Local Security Authority

SPN: HOST/ABC

PAC Kerberos Security

krbtgt/REALM
Package
TGT

InitializeSecurityContext AcceptSecurityContext KEY: abc$@REALM

Client Code Server Code

 Local Kerberos Authentication

ABC.REALM KDC.REALM

Local Security Authority

SPN: HOST/ABC

PAC TGS-REQ
Kerberos Security
krbtgt/REALM
Package
TGT

InitializeSecurityContext KEY: abc$@REALM

Client Code Server Code

 Local Kerberos Authentication

ABC.REALM KDC.REALM

Local Security Authority

SPN: HOST/ABC

PAC Kerberos Security

krbtgt/REALM
Package TGS-REP
TGT

InitializeSecurityContext KEY: abc$@REALM

PAC

HOST/ABC
TGS
Client Code Server Code
 Local Kerberos Authentication

ABC.REALM KDC.REALM

Local Security Authority

SPN: HOST/ABC

PAC Kerberos Security

krbtgt/REALM
Package
TGT

AcceptSecurityContext KEY: abc$@REALM

PAC
AP-REQ
HOST/ABC
TGS
Client Code Server Code
 Local Kerberos Authentication

ABC.REALM KDC.REALM

Local Security Authority

SPN: HOST/ABC
KEY
PAC Kerberos Security
krbtgt/REALM
Package
TGT PAC

KEY: abc$@REALM

PAC

HOST/ABC
Access Token
TGS
Client Code Server Code
 Local Kerberos Silver Ticket
Client

Local Security Authority

❶ Logon with
credentials to
initialize key in LSA
KEY: bob@REALM
LsaLogonUser

u: REALM\bob
pw: Password!

User Session
 Local Kerberos Silver Ticket
Client

Local Security Authority

KEY: bob@REALM

❷ Convert
credentials to key
❸ Use key to
u: REALM\bob
pw: Password! build silver
KEY: bob@REALM CIFS/Client ticket
TGS
User Session
 Local Kerberos Silver Ticket
Client

Local Security Authority

❺ Parse PAC and

KEY: bob@REALM PAC get token

AcceptSecurityContext

❹ Build A-REQ
and accept
CIFS/Client Token (admin)
TGS
User Session
Demo Time
LSA Internals
and how to break them
 PAC Signature Validation
Client KDC

KDC Signature

Server Signature
PAC

Local Checksum

❶ Compute local
checksum of PAC
with service key

KEY: bob@REALM

Local Security Authority Kerberos Package

 PAC Signature Validation
Client KDC

KDC Signature

Server Signature
PAC

Local Checksum

❷ Verify PAC server

signature against
local value
Local Security Authority Kerberos Package
 PAC Signature Validation
Client KDC

KDC Signature

Server Signature
PAC
❸ Send the KDC the
Local Checksum
checksum and
signature to validate

KDC Signature
KDC Signature
Local Checksum NETLOGON
Local Checksum
KERB_VERIFY_PAC_REQUEST

Local Security Authority Kerberos Package

 PAC Signature Validation
Client KDC

KDC Signature ❹ Verify

signature with
PAC
Server Signature realm key and
reply
Local Checksum
KEY: krbtgt@REALM

KDC Signature

Local Checksum

Local Security Authority Kerberos Package

 So how do Silver Tickets ever work?
(PAC validation isn’t always enabled)

“SYSTEM” Equivalent
Logon Session:
SeTcbPrivilege || SYSTEM || LOCAL/NETWORK SERVICE

cred->Flags & SECPKG_CRED_ATTR_PAC_BYPASS

(auto) AcquireCredentialsHandle w/
Credentials Handle: SECPKG_CRED_INBOUND && NT AUTHORITY\SERVICE &&
!KerbGlobalValidateKDCPACSignature

(manual) SetCredentialsAttributes w/SeTcbPrivilege

ASC Context Flags: context->Flags & ASC_RET_USE_SESSION_KEY

 So how do Silver Tickets ever work?
(PAC validation isn’t always enabled)

“SYSTEM” Equivalent
Logon Session:
SeTcbPrivilege || SYSTEM || LOCAL/NETWORK SERVICE

cred->Flags & SECPKG_CRED_ATTR_PAC_BYPASS

(auto) AcquireCredentialsHandle w/
Credentials Handle: SECPKG_CRED_INBOUND && NT AUTHORITY\SERVICE &&
!KerbGlobalValidateKDCPACSignature

(manual) SetCredentialsAttributes w/SeTcbPrivilege ???

ASC Context Flags: context->Flags & ASC_RET_USE_SESSION_KEY

 ASC_RET_USE_SESSION_KEY ?

3.2.3. Receipt of KRB_AP_REQ Message

[...] If the USE-SESSION-KEY flag is set in the ap-options field,

it indicates to the server that user-to-user authentication is in
use, and that the ticket is encrypted in the session key from the
server's TGT rather than in the server's secret key.

See Section 3.7 for a more complete description of the effect of

user-to-user authentication on all messages in the Kerberos
protocol.

RFC 4120 - Kerberos V5

 User to User Authentication
KDC.REALM

b0b@REALM b0b@REALM
PAC PAC
KEY: krbtgt@REALM

Session Key Session Key

KRBTGT/REALM CIFS/ABC
TGT U2U Ticket
bob
We now need the session key from our
TGT to build the Silver Ticket
 Trying to get a TGT + Session Key

PS C:\> $ticket = Get-KerberosTicket krbtgt

PS C:\> $ticket.SessionKey

KeyEncryption : AES256_CTS_HMAC_SHA1_96
Principal : krbtgt/[email protected]
NameType : SRV_INST No session
key ?
PS C:\> $ticket.SessionKey.Key | Format-HexDump
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Benjamin Delpy
@gentilkiwi

Want to get a usable Kerberos TGT without admin

rights/allowtgtsessionkey?
It's easy with a delegation ticket! (enabled by
default...)
No special requirement, just some love
> github.com/gentilkiwi/kek...
Thank you @elad_shamir (and @TheColonial) for evil
ideas!

https://twitter.com/gentilkiwi/status/998219775485661184
 Unconstrained Delegation TGT Extraction

Local Security Authority

Session
Key

KEY: bob@REALM CIFS/KDC.REALM

TGS [Delegate: OK]

InitializeSecurityContext
+ISC_REQ_DELEGATE

❶ Request AP-REQ for

delegatable service
SPN:
CIFS/KDC.REALM

User Session
 Unconstrained Delegation TGT Extraction

Local Security Authority

CIFS/KDC.REALM krbtgt/REALM
TGS [Delegate: OK] TGT

Session Session
Key Key

CIFS/KDC.REALM
TGS
❷ Authenticator is
encrypted with session
Authenticator
key and contains the
delegation TGT
AP-REQ
User Session
 Unconstrained Delegation TGT Extraction

Local Security Authority GSSChecksum

❸ Query ticket GSS_C_DELEG_FLAG
CIFS/KDC.REALM cache for session
TGS [Delegate: OK] key, decrypt, and
extract TGT KRB_CRED
Session
krbtgt/REALM
Key

LsaCallAuthPackage

CIFS/KDC.REALM Checksum
TGS

Session
Authenticator Timestamp
Key
AP-REQ Authenticator
User Session
 What can you add to the PAC ?
PAC->LogonInfo
Any domain SID which is not local
Domain SID account domain.
User ID
Any domain RIDs
Group IDs
500 - REALM\Administrator
… 512 - REALM\Domain Administrator
1000+ - User and Computer Accounts
Extra SIDs
Most SIDs which are not the local
…
account domain or NT AUTHORITY
Mandatory Integrity SID
Resource Domain SID Capability SIDs
Resource Group IDs
Most SIDs which are not the local
…
account domain or NT AUTHORITY
Demo Time
 SeTokenCanImpersonate

Token Level Process has Process IL Process User

< Impersonate < ==
Impersonate Privilege Token IL Token User

Elevation
Check

Restrict to Session ID
Allowed
Identification Check
 Can be controlled
by the PAC
SeTokenCanImpersonate

Token Level Process has Process IL Process User

< Impersonate < ==
Impersonate Privilege Token IL Token User

Elevation
Doesn’t apply Check
Ignored if user is ???
to us
not a UAC admin

Restrict to Session ID
Allowed
Identification Check
 SeTokenCanImpersonate

Token Level Process has Process IL Process User

< Impersonate < ==
Impersonate Privilege Token IL Token User
if (Primary->SessionId != Impersonation->SessionId &&
Impersonation->SessionId == 0) {
return STATUS_PRIVILEGE_NOT_HELD; Elevation
} Check

Restrict to Session ID
Allowed
Identification Check
 Hunting for Session Update Primitives
NtSetInformationToken(..., TokenSessionId, …)

LsapAuApiDispatchLogonUser LsapBuildAndCreateToken

LsapSetSessionToken
LsapCreateTokenEx

LsapApplyLoopbackSessionId

LsaISetSupplementalTokenInfo
LsapFilterElevatedTokenFull

LsapUpdateUserTokenSessionId
 Hunting for Session Update Primitives
NtSetInformationToken(..., TokenSessionId, …)

LsapAuApiDispatchLogonUser LsapBuildAndCreateToken Not useful

LsapSetSessionToken
LsapCreateTokenEx

LsapApplyLoopbackSessionId

LsaISetSupplementalTokenInfo
LsapFilterElevatedTokenFull
Requires TCB

LsapUpdateUserTokenSessionId
 Hunting for Session Update Primitives
NtSetInformationToken(..., TokenSessionId, …)

LsapAuApiDispatchLogonUser LsapBuildAndCreateToken

Deals with
LsapSetSessionToken elevated +
LsapCreateTokenEx linked tokens

LsapApplyLoopbackSessionId

LsaISetSupplementalTokenInfo
LsapFilterElevatedTokenFull

LsapUpdateUserTokenSessionId
 Hunting for Session Update Primitives
NtSetInformationToken(..., TokenSessionId, …)

LsapAuApiDispatchLogonUser LsapBuildAndCreateToken

LsapSetSessionToken ???
LsapCreateTokenEx

Accessible via
LsapApplyLoopbackSessionId
AcceptSecurityContext
LsaISetSupplementalTokenInfo
LsapFilterElevatedTokenFull

LsapUpdateUserTokenSessionId
 LSA Loopback Library
Local Security Authority
Hash Value Session ID
Kerberos Security BeginTracking … X
Package

❶ Call ISC and add entry to loopback

tracking table with caller’s session id

InitializeSecurityContext

User Session X
 LSA Loopback Library
Local Security Authority
Hash Value Session ID
Kerberos Security UpdateTracking FEEDACDC X
Package

❷ Update AES-CMAC hash

AP-REQ with security buffer contents
InitializeSecurityContext

AP-REQ

User Session X
 LSA Loopback Library
Local Security Authority
Hash Value Session ID
Kerberos Security BeginTracking FEEDACDC X
Package
FEEDACDC 0

❸ Accept AP-REQ and add

AES-CMAC entry
AcceptSecurityContext

AP-REQ

User Session
 LSA Loopback Library
Local Security Authority

Kerberos Security LsapCreateTokenEx

Hash Value Session ID
Package
FEEDACDC X

LsapApplyLoopbackSessionId FEEDACDC 0

AcceptSecurityContext

❹ Create token and lookup

final hash. If a match is
found, move the token to the
Token client session
User Session
 LSA Loopback Library
ELI5
1. Loopback Library will hash all security Local Security Authority
buffers between LSA and clients. If
hashes match when a token is being
Kerberos Security Package
built, the token will be moved to the
client session.

2. We need to start using (Initialize/Accept)SecurityContext

InitializeSecurityContext with our silver
tickets to get the hash entry initialized.
Our Code
3. We need to modify the PAC inside the
AP-REQ, but if we touch the buffers the
hash lookup will break. (or will it?) User Session

No Fly Zone!
 Loopback Security Buffer Hashing Bug

PSecBufferDesc pInput = ...;

for(ULONG i = 0; i < pInput->cBuffers; ++i) {
PSecBuffer pBuffer = &pInput->pBuffers[i];

if (pBuffer.BufferType == SECBUFFER_TOKEN) {
BCryptHashData(hHash, pDirectionGuid, cbDirectionGuid);
BCryptHashData(hHash, pBuffer->pvBuffer, pBuffer->cbBuffer);
}
}
 Security Buffer Types
Buffer Type Meaning Value

SECBUFFER_EMPTY Undefined, replaced by the 0x00000000

security package function

SECBUFFER_TOKEN Security token 0x00000002

SECBUFFER_READONLY Buffer is read-only, no 0x80000000

checksum

SECBUFFER_READONLY_WITH_CHECKSUM Buffer is read-only, and 0x10000000

checksummed

The buffer types can be combined using a bitwise-OR operation

with the READONLY buffer types.
 Type Confusion in AcceptSecurityContext

Security Buffer Descriptor

Kerberos Security
SECBUFFER_TOKEN | Package
SECBUFFER_READONLY
Ignored by Loopback library.
Modified AP-REQ with Used by Kerberos.
Silver Ticket

SECBUFFER_TOKEN Loopback Library

Hashed by LoopbackLibrary.
Original AP-REQ from
InitializeSecurityContext
Ignored by Kerberos.
Demo Time
 Fixed in Windows 11 ?
Windows 10:

if (pBuffer.BufferType == SECBUFFER_TOKEN) {
BCryptHashData(hHash, pDirectionGuid, cbDirectionGuid);
BCryptHashData(hHash, pBuffer->pvBuffer, pBuffer->cbBuffer);
}

Windows 11: Masking the upper byte out

if ((pBuffer.BufferType & ~SECBUFFER_ATTRMASK) == SECBUFFER_TOKEN) {

BCryptHashData(hHash, pDirectionGuid, cbDirectionGuid);
BCryptHashData(hHash, pBuffer->pvBuffer, pBuffer->cbBuffer);
}
 LSA Loopback Library
Danger Zone
Local Security Authority

Kerberos Security Package KDC.REALM

(Initialize/Accept)SecurityContext

Man in the middle

Our Code
is on the table?

User Session

No Fly Zone!
 Modifying on the Wire

Local Security Authority KDC

TGS-REP
TGS-REP
(evil)
bob@REALM bob@REALM
PAC w/admin PAC

CIFS/ABC CIFS/ABC
TGS U2U TGS U2U

Session Key
 What about Credential Guard ?

Kerberos Considerations
When you enable Windows Defender Credential Guard,
you can no longer use Kerberos unconstrained
delegation or DES encryption. Unconstrained
delegation could allow attackers to extract Kerberos
keys from the isolated LSA process. Use constrained
or resource-based Kerberos delegation instead.

https://docs.microsoft.com/en-us/windows/security/identity-
protection/credential-guard/credential-guard-considerations
 LSA Loopback Library
BYOKDC
Local Security Authority

Kerberos Security Package

KDC.FAKE

(Initialize/Accept)SecurityContext

Our Code Bring Your Own KDC?

User Session

No Fly Zone!
 KDC Pinning

struct SECPKG_CALL_PACKAGE_PIN_DC_REQUEST {
ULONG MessageType;
ULONG Flags;
UNICODE_STRING DomainName;
UNICODE_STRING DcName;
ULONG DcFlags;
};

MessageType can be SecPkgCallPackagePinDcMessage or KerbPinKdcMessage

 TGS-REP Local KDC
Client

Local Security Authority

Realm Host PID TID

Kerberos Security FAKE localhost X Y

Package
❶ Pin our fake KDC to
localhost
LsaCallAuthPackage

krbtgt@FAKE

Custom KDC
User Session X
 TGS-REP Local KDC
Client

Local Security Authority

Realm Host PID TID ❷ Issue our own
tickets with arbitrary
Kerberos Security FAKE localhost X Y
PAC data
Package
KerbMakeSocketCall (despite being
different domains)
LsaLogonUser

bob@REALM
u: FAKE\bob
PAC w/admin
pw: WooHoo!
krbtgt@FAKE CIFS/CLIENT
fake credentials TGS U2U
Custom KDC
User Session X
Demo Time
 “Security
Boundaries”
and where they aren’t
 Service Account S4U2Self
Client
Local Security Authority

TGS-REP
+ PA-FOR-USER
KDC.REALM
KEY: svc@REALM
CNAME: Admin
LsaLogonUser(S4U, …)

Access Token
UPN: Admin We have
Realm: REALM
SeImpersonate but
User: REALM\Admin the token is locked to
Level: Identification
Service Account Session Identification
 S4U TCB Privilege Check
KerbCreateTokenFromLogonTicket(...) {
if (MessageType == KerbTicketLogon || MessageType == KerbTicketUnlockLogon ||
MessageType == KerbS4ULogon || …
){
if (!ClientInfo.HasTcbPrivilege)
PrimaryCredentials->Flags |= PRIMARY_CRED_LOGON_NO_TCB;
}
}

LsapAuApiDispatchLogonUser(...) {
BOOL UseIdentify = PrimaryCredentials.Flags & PRIMARY_CRED_LOGON_NO_TCB;
LsapCreateV3Token(...
(UseIdentify ? TokenImpersonation : TokenPrimary),
(UseIdentify ? SecurityIdentification : SecurityImpersonation),
&Token
);
}
 Service Account S4U2Self
Client
Local Security Authority

krbtgt/REALM
TGT

TGT Extraction

KDC.REALM
KRB_CRED
krbtgt/REALM

Service Account Session

 Service Account S4U2Self
Client
Local Security Authority

krbtgt/REALM
TGT

TGS-REP
+ PA-FOR-USER
KDC.REALM
KEY: svc@REALM KRB_CRED
CNAME: Admin krbtgt/REALM

Service Account Session

 Service Account S4U2Self
Client
Local Security Authority

KEY: svc@REALM krbtgt/REALM

CNAME: Admin TGT

AcceptSecurityContext

Access Token

KDC.REALM
User: REALM\Admin KEY: svc@REALM KRB_CRED
Level: Impersonation CNAME: Admin krbtgt/REALM

Service Account Session

 What about UAC ?

2.2.5. LSAP_TOKEN_INFO_INTEGRITY

The LSAP_TOKEN_INFO_INTEGRITY structure specifies the

integrity level information for the client.<7>

typedef struct _LSAP_TOKEN_INFO_INTEGRITY {

unsigned long Flags;
unsigned long TokenIL;
unsigned char MachineID[32];
}

[MS-KILE]: Kerberos Protocol Extensions

 Authoriziation Data Entries

AP-REQ
Ticket’s AD entry taken in
preference to Authenticator’s

Authorization
Data KERB-AD-RESTRICTION-ENTRY
bob@REALM
PAC
_LSAP_TOKEN_INFO_INTEGRITY {
Service Ticket Flags = RestrictedToken;
TokenIL = Medium;
MachineID = {FEED-ACDC};
}

Authorization
[...]
Data

Token Filtering Logic

Authenticator
 LSA Token Filtering
via LsaISetSupplementalTokenInfo()

info.MachineId ==
False
LsapGlobalMachineID

True
User is a Local Account Machine is not
Local && Token Filtering && a domain
Account is enabled controller
Network Auth Token
Filtering is enabled
True
False
True

info.Flags &
Filter Token True False No Filtering
LimitedToken
 Kerberos UAC Bypass
Client

Service Session Local Security Authority

SCM RPC Kerberos Security KDC.REALM

Service Package

LsaCallAuthPackage

❶ Request service
RPC/CLIENT Auth ticket and session
TGS Data key from ticket
cache
Session
uac admin Key

Service Account Session

 Kerberos UAC Bypass
Client

Service Session Local Security Authority

SCM RPC Kerberos Security KDC.REALM

Service Package

RPC/CLIENT Auth
TGS Data

❷ Manually renew
Session the service ticket
Key
without any
Service Account Session authorization data
 Kerberos UAC Bypass
Client

Service Session Local Security Authority

SCM RPC Kerberos Security KDC.REALM

Service Package
Full Token

RPC/CLIENT Auth
TGS Data
❸ Pass clean ticket
to RPC server
Session
Key

Service Account Session

Demo Time
Wrap Up Time
 CVE-2022-35756
“SYSTEM” Equivalent
Logon Session:
SeTcbPrivilege || SYSTEM || LOCAL/NETWORK SERVICE

cred->Flags & SECPKG_CRED_ATTR_PAC_BYPASS

(auto) AcquireCredentialsHandle w/
Credentials Handle: SECPKG_CRED_INBOUND && NT AUTHORITY\SERVICE &&
!KerbGlobalValidateKDCPACSignature

(manual) SetCredentialsAttributes w/SeTcbPrivilege

ASC Context Flags: context->Flags & ASC_RET_USE_SESSION_KEY

 Mitigation Thoughts
● Enable KerbGlobalValidateKDCPACSignature
○ Prevent “NT AUTHORITY\SERVICE” SID from bypassing PAC verification
○ Doesn’t prevent “LOCAL/NETWORK SERVICE” or “SYSTEM” though
● Force Kerberos Armoring / FAST
○ Makes it harder to tamper with network traffic
● Enable Credential Guard
○ Block trivial access to TGT session keys
● Build Kerberos firewall rules
○ Block access to KDCs outside an approved list
Detection Thoughts
Security -> Logon/Logoff -> Special Logon -> Event 4672
Special privileges assigned to new logon.

Subject:

Security ID: REALM\bob

Account Name: bob
Account Domain: REALM
Logon ID: 0x4b842

Privileges:

SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
...
 Limitations of Time
NtApiDotNet (tooling used in presentation)
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools

UAC Bypass Trickery

https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html

Remote Credential Guard Code Execution

https://bugs.chromium.org/p/project-zero/issues/detail?id=2271

AppContainer Escapes
https://bugs.chromium.org/p/project-zero/issues/detail?id=2273

LSASS Impersonation Check Failures

https://bugs.chromium.org/p/project-zero/issues/detail?id=2278

Service Account S4U Elevation

https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/
Acknowledgements
Elad Shamir | @elad_shamir

Benjamin Delpy | @gentilkiwi

Will Schroeder | @harmj0y

Charlie Clark | @exploitph

Christoph Falta | @cfalta

One Last Thing !
Questions ?