Is This My Domain Controller? A New Class of Active Directory Protocol Injection Attacks

Explore a new class of Active Directory protocol injection attacks in this Black Hat conference talk. Delve into the security vulnerabilities of cryptographic systems, focusing on resilience against eavesdroppers and machine-in-the-middle (MiTM) attacks. Examine previous MiTM attacks on Active Directory authentication protocols and their mitigation strategies. Discover how relay attack techniques can be applied to the Kerberos authentication protocol. Learn about NTLM basics, NTLM injection versus NTLM relay, and see an NTLM injection example using GPO updates. Investigate a new attack case involving Azure AD Connect and the corresponding Microsoft response. Understand KDC spoofing protection and the requirements for executing these attacks. Analyze a VMWare Center attack scenario and explore Kerberos injection mitigation strategies. Gain valuable tips for defenders and insights into responsible disclosure practices.

Intro
Today's Talk
The Plan
NTLM Basics
NTLM Injection Vs NTLM Relay
NTLM Injection Example - GPO Update
New Attack Case - Azure AD Connect
NTLM Injection Against AD Connect
Microsoft Response
KDC Spoofing Protection
What we need for the attack
VMWare Center
Attack Scenario
Kerberos Injection - How to Mitigate?
Responsible Disclosure
Closing Remarks
Tips for Defenders