Hunting for Bugs in the Legacy Windows Authentication Stack
Authentication is crucial to Windows security, especially in enterprise environments. While there's a push to move towards web-based authentication such as OAuth, many of the legacy authentication protocols, among them NTLM and Kerberos, are still in use today. These protocols stretch back over 20 years; with code and design choices baked in for so long, it's an interesting area to look for high-impact security issues.
This presentation will go through the work I've done in the past two years to hunt for bugs in the legacy Windows authentication stack. I'll share my overall methodology for the hunt, tooling that I've developed to aid in the research and highlight some intriguing vulnerabilities that I discovered. Some of these vulnerabilities are down to design choices made 20 years ago, others are in brand new code and range from privilege escalation, authentication bypass and remote code execution.