Threat analysis of Microsoft Kerberos ticket misuse

Abstract

This project tackles the threat analysis of Pass-the-Ticket attack on Microsoft Windows domain authentication. The analysis was split in two, the first part tackles the identification of vulnerable OS configurations as well as the extent of impact on the event of successful execution. The second part tests the heuristic to detect an ongoing attack strictly from memory dumps by locating duplicate tickets. In order to conduct this study, two tools were developed, a penetration testing tool and a memory forensics tool. For a complete understanding of the attack, code comprehension is carried out on the code of the existing proof of concept pen-test tool. It was found that the existing tool relies on data structures that are service pack/version dependent, therefore the built pen-test tool was rendered service pack/version independent. This is achieved by using memory analysis, where tickets are located from memory using signature based scanning. Results in using multiple recent versions of Windows show that the attack is possible when the Local Security Authority is not a protected process. The impact of a successful attack includes the gaining of higher privileges, enabling the attacker to access restricted and possibly harmful services. Memory forensics show that a successful attack can be identified from memory dumps given that the attacker has not purged the tickets from memory.