Abusing Kerberos for Local Privilege Escalation

Upcoming Black Hat USA presentation will examine the implications of Kerberos weaknesses for security on the local machine.

As the main authentication protocol for Windows enterprise networks, Kerberos has long been a favored hacking playground for security researchers and cybercriminals alike. While the focus has been on attacking Kerberos authentication to carry out remote exploits and aid in lateral movement across the network, new research explores how Kerberos can also be abused to great effect in carrying out a variety of local privilege escalation (LPE) attacks.
At the Black Hat USA conference this week in Las Vegas, James Forshaw, security researcher for Google Project Zero, and Nick Landers, head of adversarial R&D for NetSPI, plan to take the security discussion beyond the
Kerberoasting
and
Golden/Silver ticket
attack discussions that have dominated Kerberos security research in recent years. In the session
Elevating Kerberos to the Next Level
, Forshaw and Landers will explore authentication bypasses, sandbox escapes, and arbitrary code execution in privileged processes.
James and I have both spent a lot of our time digging into Windows internals, and Kerberos is fundamental to network authentication between Windows systems. However, most of the existing research and tooling Ive done focuses on remote exploitation — ignoring attack surfaces that exist on just a local machine, says Landers, who explained why the pair decided to dig deeper into design flaws in the way Kerberos does local authentication. Through this, weve discovered many interesting flaws — some fixed and some not — that were excited to share on Wednesday, along with the tooling we’ve built and knowledge weve gained over the last several months.
The tooling will help others in the security research community to inspect and manipulate Kerberos on local systems to build on the pairs research. The duo will also offer up some important detection and configuration advice to help security practitioners mitigate the risk of the flaws that theyll present.
From a bigger-picture perspective, Landers hopes that his talk can help bring further attention to Kerberos from the entire security world. He says that even though it is the recommended long-term solution for network authentication in Windows environment, replacing deprecated protocols like NetNTLM, security teams shouldnt assume that its more secure by default than the predecessors.
Kerberos maintains an extremely large feature set, which continues to grow every year. Obscure functionality first designed in 1998, as well as brand-new code engineered for Windows 11, can both provide nuanced attack surfaces for LPE, security bypasses, or even RCE, he says. Where there are more features to search, there is always greater opportunity to discover flaws.
In addition to offering practical mitigation steps, he hopes the talk will spur security and network administrators to brush up on their Kerberos knowledge to better harden their systems.
Administrators should become more familiar with Kerberos to be able to apply best practice mitigations effectively. Specifically, since we consistently see the knowledge of attackers outpacing that of defenders when it comes to Kerberos internals, he says.
His talk will be one of several eye-opening identity and access management-related research presented at Black Hat this week. Some discussions up for exploration include how
hybrid cloud IAM deployments are leaving open flaws and misconfigurations ripe for attack
and the way that attackers can
utilize stolen PII to make it easier to conduct smishing attacks.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Abusing Kerberos for Local Privilege Escalation