Home > Roadmap > Active Directory Security > Learning Modules > Module 2: Kerberos Authentication > Lesson 1: Kerberos Protocol Fundamentals

๐Ÿ”‘ Lesson 1: Kerberos Protocol Fundamentals

Understanding Kerberos authentication protocol, security mechanisms, and attack vectors

Advanced 90 minutes Lesson 1 of 4

๐Ÿ“š Learning Objectives

By the end of this lesson, you will be able to:

๐Ÿ—๏ธ Kerberos Protocol Architecture

What is Kerberos?

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. It was developed at MIT and is now the default authentication protocol for Windows Active Directory environments.

๐Ÿ”‘ Kerberos Key Principles:

  • Mutual Authentication: Both client and server verify each other's identity
  • Single Sign-On (SSO): Users authenticate once and access multiple services
  • Delegation: Services can act on behalf of users
  • Ticket-Based: Uses encrypted tickets for authentication

Kerberos Components

๐Ÿ” Key Distribution Center (KDC)

The central authentication server that manages all Kerberos operations.

KDC Components:
  • Authentication Service (AS): Issues Ticket Granting Tickets (TGTs)
  • Ticket Granting Service (TGS): Issues service tickets
  • Database: Stores user and service account information

๐ŸŽซ Tickets

Encrypted credentials that prove authentication and authorization.

Ticket Types:
  • TGT (Ticket Granting Ticket): Initial authentication ticket
  • Service Ticket: Access to specific services
  • Renewal Ticket: Extended validity period

๐Ÿ”‘ Encryption Keys

Secret keys used for encrypting and decrypting tickets and authenticators.

Key Types:
  • User Key: Derived from user password
  • Service Key: Service account password
  • Session Key: Temporary key for communication

๐Ÿ”„ Kerberos Authentication Flow

Complete Authentication Process

1

AS-REQ: Authentication Service Request

Client requests initial authentication from KDC

Request Contains:
  • Client principal name
  • Requested realm
  • Timestamp
  • Pre-authentication data (encrypted with user's password)
2

AS-REP: Authentication Service Response

KDC validates credentials and issues TGT

Response Contains:
  • Encrypted TGT (encrypted with KRBTGT key)
  • Session key (encrypted with user's password)
  • Ticket lifetime
3

TGS-REQ: Ticket Granting Service Request

Client requests service ticket using TGT

Request Contains:
  • TGT (encrypted)
  • Authenticator (encrypted with session key)
  • Service principal name (SPN)
  • Requested ticket lifetime
4

TGS-REP: Ticket Granting Service Response

KDC issues service ticket for requested service

Response Contains:
  • Service ticket (encrypted with service key)
  • Service session key (encrypted with TGS session key)
  • Ticket lifetime
5

AP-REQ: Application Request

Client presents service ticket to target service

Request Contains:
  • Service ticket (encrypted)
  • Authenticator (encrypted with service session key)
6

AP-REP: Application Response (Optional)

Service confirms authentication (mutual authentication)

Response Contains:
  • Service authenticator (encrypted with service session key)

๐ŸŽซ Ticket Structure and Components

Ticket Granting Ticket (TGT)

๐Ÿ” TGT Contents

  • Client Principal: User account name
  • Realm: Domain name
  • Session Key: Temporary encryption key
  • Ticket Lifetime: Validity period
  • Flags: Ticket options and restrictions
  • Authorization Data: Group memberships and privileges

๐Ÿ”‘ Encryption

TGTs are encrypted with the KRBTGT account password, making them the most valuable target for attackers.

KRBTGT Account:
  • Default password: Set during domain creation
  • Password rotation: Rarely changed
  • Access: Required for all TGT operations
  • Compromise: Enables Golden Ticket attacks

Service Ticket

๐ŸŽซ Service Ticket Contents

  • Client Principal: User requesting service
  • Service Principal: Target service account
  • Service Session Key: Communication key
  • Ticket Lifetime: Service access validity
  • Flags: Service-specific options
  • Authorization Data: Service access permissions

๐Ÿ” Encryption

Service tickets are encrypted with the service account password.

Service Account Security:
  • Password strength: Often weak or default
  • Password rotation: Infrequent
  • Access: Required for service authentication
  • Compromise: Enables Silver Ticket attacks

๐Ÿท๏ธ Service Principal Names (SPNs)

What are SPNs?

Service Principal Names (SPNs) are unique identifiers for services running on servers. They enable Kerberos authentication to work properly by identifying which service account should be used for authentication.

SPN Format

SERVICE/HOST:PORT/REALM
SERVICE/HOST:PORT
SERVICE/HOST
Common SPN Examples:
  • HTTP/web01.domain.com:80 - Web service
  • MSSQLSvc/sql01.domain.com:1433 - SQL Server
  • LDAP/dc01.domain.com:389 - LDAP service
  • CIFS/fileserver.domain.com - File sharing

SPN Enumeration and Analysis

๐Ÿ” PowerShell Enumeration

# Get all SPNs in domain
Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties ServicePrincipalName

# Get SPNs for specific service
Get-ADUser -Filter "ServicePrincipalName -like 'HTTP/*'" -Properties ServicePrincipalName

# Get SPNs for specific host
Get-ADUser -Filter "ServicePrincipalName -like '*server01*'" -Properties ServicePrincipalName

๐Ÿ”ง LDAP Enumeration

# LDAP query for SPNs
ldapsearch -H ldap://domain.com -D "user@domain.com" -W -b "DC=domain,DC=com" "(&(objectClass=user)(servicePrincipalName=*))" servicePrincipalName

# Specific service SPNs
ldapsearch -H ldap://domain.com -D "user@domain.com" -W -b "DC=domain,DC=com" "(&(objectClass=user)(servicePrincipalName=MSSQLSvc/*))" servicePrincipalName

โš ๏ธ Kerberos Security Vulnerabilities

Common Attack Vectors

๐ŸŽซ Golden Ticket Attack

Forging TGTs using compromised KRBTGT account

Attack Process:
  1. Compromise KRBTGT account password
  2. Create forged TGT with arbitrary privileges
  3. Use TGT to access any service in domain
  4. Maintain persistent access
Impact:
  • Complete domain compromise
  • Persistent backdoor access
  • Privilege escalation
  • Lateral movement

๐Ÿฅˆ Silver Ticket Attack

Forging service tickets using compromised service accounts

Attack Process:
  1. Compromise service account password
  2. Create forged service ticket
  3. Access specific service directly
  4. Bypass TGS authentication
Impact:
  • Service-specific access
  • Data exfiltration
  • Service manipulation
  • Limited lateral movement

๐Ÿ”ฅ Kerberoasting

Extracting service account password hashes

Attack Process:
  1. Request service tickets for SPNs
  2. Extract encrypted service tickets
  3. Crack service account passwords
  4. Use credentials for lateral movement
Impact:
  • Service account compromise
  • Credential reuse attacks
  • Lateral movement
  • Privilege escalation

๐Ÿ”„ AS-REP Roasting

Extracting user password hashes from AS-REP responses

Attack Process:
  1. Identify users with pre-authentication disabled
  2. Request AS-REP without pre-auth
  3. Extract encrypted password hash
  4. Crack user passwords
Impact:
  • User account compromise
  • Credential theft
  • Account takeover
  • Initial access

๐Ÿ›ก๏ธ Kerberos Security Controls

Defense Strategies

๐Ÿ” Authentication Hardening

Implementation:
  • Enable pre-authentication for all accounts
  • Implement strong password policies
  • Use multi-factor authentication
  • Regular password rotation
  • Account lockout policies

๐ŸŽซ Ticket Security

Implementation:
  • Short ticket lifetimes
  • Regular KRBTGT password rotation
  • Service account password management
  • Ticket renewal monitoring
  • Anomalous ticket detection

๐Ÿ“Š Monitoring & Detection

Implementation:
  • Kerberos event logging
  • Failed authentication monitoring
  • Unusual ticket patterns
  • SPN enumeration detection
  • SIEM integration

๐Ÿ”ง Configuration Security

Implementation:
  • Secure SPN configuration
  • Delegation restrictions
  • Service account isolation
  • Network segmentation
  • Regular security assessments

๐Ÿงช Hands-On Exercise

Exercise: Kerberos Protocol Analysis

Objective: Analyze Kerberos authentication flow and identify potential security issues.

๐Ÿ“‹ Steps:

  1. SPN Enumeration

    Enumerate Service Principal Names in the domain:

    # PowerShell SPN enumeration
Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties ServicePrincipalName | Select-Object Name, ServicePrincipalName

# Identify high-value services
Get-ADUser -Filter "ServicePrincipalName -like 'MSSQLSvc/*'" -Properties ServicePrincipalName
Get-ADUser -Filter "ServicePrincipalName -like 'HTTP/*'" -Properties ServicePrincipalName
  2. Kerberos Traffic Analysis

    Capture and analyze Kerberos authentication traffic:

    # Wireshark filters for Kerberos
kerberos
kerberos.as_req
kerberos.as_rep
kerberos.tgs_req
kerberos.tgs_rep
  3. Pre-authentication Analysis

    Check for accounts with pre-authentication disabled:

    # Find accounts vulnerable to AS-REP roasting
Get-ADUser -Filter "userAccountControl -band 4194304" -Properties userAccountControl | Select-Object Name, userAccountControl
  4. Service Account Analysis

    Identify service accounts and their security posture:

    # Get service accounts with SPNs
Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties ServicePrincipalName, PasswordLastSet, LastLogonDate | Select-Object Name, ServicePrincipalName, PasswordLastSet, LastLogonDate

๐Ÿ“„ Deliverables:

  • SPN enumeration report
  • Kerberos traffic analysis
  • Vulnerability assessment findings
  • Security recommendations

๐Ÿ“Š Knowledge Check

Question 1: What is the KRBTGT account used for in Kerberos?

Question 2: What is the correct format for a Service Principal Name?

Question 3: Which attack targets users with pre-authentication disabled?

๐Ÿ“ง Stay Updated with New Lessons

Get notified when we add new advanced lessons and expert content!

โ† Previous: AD Security Assessment Next: Golden & Silver Ticket Attacks โ†’