Is This My Domain Controller? A New Class of Active Directory Protocol Injection Attacks

Conference:  BlackHat USA 2021



The presentation discusses a specific type of attack called the Golden Ticket attack, which exploits weaknesses in the authentication process of Windows domains.
  • The Golden Ticket attack involves intercepting and manipulating authentication requests to gain access to a Windows domain.
  • The attack can be mitigated by adding an additional step to the authentication process that involves requesting a service ticket.
  • The process of selecting a domain controller and establishing a network session is not secure unless some form of validation is done afterwards.
  • The attack can be carried out by injecting a fake domain controller and relaying messages between the client and the real domain controller.
  • The attack can be prevented by verifying the identity of the client before allowing data to be accessed from the domain controller.
The presenter gives an example of how the Golden Ticket attack can be used to gain administrative privileges in a Windows domain. By injecting a fake domain controller and returning a fake security system, the attacker can make any domain user an administrator in the domain. This is demonstrated in a demo where a regular user is able to log onto a server and gain administrative privileges.


When analyzing the security of cryptographic systems, a critical part is resiliency against eavesdroppers as well as machine-in-the-middle (MiTM) attacks. Over the years, researchers were able to break many secure protocols using MitM attacks. A common theme in this family of vulnerabilities is the lack of proper validation for any of the communicating parties.Focusing on Active Directory environments, the most common authentication protocols are Kerberos and NTLM. We will review previous MitM attacks found on Active Directory authentication protocols and the mitigation strategies previously implemented. We will show that the relay attack technique is not limited to NTLM alone and can be used to attack the newer Kerberos authentication protocol. In addition, we will show several injection attacks compromising client systems.We'll show how the lack of validation mistakes can lead to devastating issues ranging from authentication bypass to remote code execution on various critical infrastructure systems. However, the issues do not stop on Windows on-premises networks but span to other infrastructures such as domain-joined unix machines, virtualization infrastructure, and even cloud directories such as Azure AD.The talk will present a technical deep-dive into multiple vulnerabilities we have discovered along with several demos. Demos include a MitM attack which allows an attacker to inject user passwords in a hybrid AD environment allowing the attacker to authenticate as any user in the network. We will also show how to use a similar technique and take over an organization virtualization infrastructure.