James Forshaw

These Are My Principals, If You Don't like Them, I Have Others.


The presentation contains an overview of my research into relaying Kerberos authentication which works even if NTLM has been disabled. It will describe how a Kerberos relay attack would work in practice. I will then describe the various approaches Windows network protocols use to decide the target of Kerberos authentication and how an attacker could influence the decision process to get spoofed Kerberos tickets for different services without MitM techniques.

I will also demonstrate some of the tools and techniques I developed during the research process. This will include some esoteric behaviors of the Windows Kerberos and Negotiate implementations which can improve the success of a relay attack.

Finally I'll describe the various approaches a system administrator can use to mitigate or detect a Kerberos relay attack on their network.


James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the book “Attacking Network Protocols” available from NoStarch Press.