The "extremely destructive" Kerberos protocol vulnerability can cause the system to be completely controlled.

The "extremely destructive" Kerberos protocol vulnerability can cause the system to be completely controlled.

Recently, security experts have discovered a "very destructive" vulnerability in Windows's Kerberos Authentication System. Last year, a similar vulnerability in the system was revealed, causing attackers to control the entire network, including the installation program and data deletion.
Kerberos protocol
Kerberos is a network authentication protocol designed to provide powerful authentication services for client/server applications through the key system. The authentication process does not depend on the host operating system authentication, and does not require host address-based trust and physical security of all hosts on the network, it is assumed that data packets transmitted over the network can be read, modified, and inserted at will. In the above cases, Kerberos, as a trusted third-party authentication service, implements authentication services through traditional cryptographic technologies (such as shared keys.
Vulnerability Principle

Figure 1 Typical authentication process
The following problems are found through Kerberos analysis:
1. The key comes from the user password;
2. The key is stored in the memory;
3. Keys using the RC4 encryption algorithm are not salt-added, and the NTLM hash value is the RC4 key;
4. The key used by KDC (Key Distribution Center) comes from the krbtgt user password, although this account has been disabled and never used;
5. the password of the krbtgt user is rarely changed (only when the domain function level changes), and the changed old password is still available;
6. The TGT ticket uses the krbtgt key for encryption. The PAC data uses the krbtgt key for signature, and the system rarely verifies the PAC data;
7. Kerberos verifies the user account 20 minutes after the user logs on.
For the preceding reasons, attackers can bypass the authentication system with the krbtgt password to obtain administrator access permissions and perform a series of Administrator operations (such as creating users and downloading files ), you can also create a response key for the user based on the password.
Mitigation
It is reported that the vulnerability cannot be repaired because these are only the Kerberos operating methods. The only solution is to use Microsoft's Credential Guard program to prevent certificates from being stored in the memory. To prevent Windows from being attacked due to Kerberos, users need to pay attention to and protect privileged accounts at any time, because there may be accounts created by attackers.