⚔️
DWSec Wiki
  • Welcome to the DWSec Notes
  • Windows Privilege Escalation
  • Active Directory
    • Fundamentals
      • Introduction
      • Protocols
      • Authentication
      • Glossary of terms
      • Objects
      • AD CS
    • Pentest Methodology
    • Insecure Logins
    • Bloodhound & ldapdomaindump
    • NTLMRelaying (445)
    • SMB Coercing (445)
    • Pre2k
    • DACL Abuse
    • Kerberoasting
    • Utility Tools
    • Powershell
  • Networking
    • Fundamentals
    • Pivoting, Tunneling and Portforwarding
    • DNS
    • Ligolo-ng
    • Toolbox
    • Protocols
      • 80/443 - HTTP/HTTPS
      • 389 - LDAP
      • 445 - SMB
  • Web
    • Active Enumeration
    • Passive Enumeration
  • ADPwn
  • Tools
    • Tools overview
Powered by GitBook
On this page
  • NTLM
  • Kerberos
  • Authentication Process
  • Benefits
  • Ressources

Was this helpful?

  1. Active Directory
  2. Fundamentals

Authentication

NTLM

Kerberos

Kerberos is supported as one of the standard authentication protocols since windows 2000.

In general Kerberos is based on several design principles. First of all it is designed with a concept of mutual authentication. Client and server are verifying their integrity against each other. Beside that Kerberos is a stateless protocol. This means that there are no transmitted usernames and passwords. Instead Kerberos is exhibiting encrypted tickets to users and services, serving as authentication evidence.

In active directory a key distribution center (KDC) is responsible for authentication management via kerberos.

Kerberos uses port 88 on domain controllers. Therefore, discovery is usually very simple

Authentication Process

The first step in Kerberos authentication is to request a Ticket Granting Ticket. Possession of this ticket should verify a user's authenticity. Next, a user can request a Ticket Granting Service Ticket (TGS) for each connected service. During this second process, the KDC ensures that a user has the correct permissions to access that asset's service.

Initial user authentication via TGT request:

  1. User is logging in. NTLM hash is calculated from entered password.

  2. KRB-AS-REQ: Request for TGT is encrypted with NTLM hash from entered password. Send request to KDC

  3. KDC checks for successful decryption with stored password from database in domain controller. Additional user information from request can be used to ensure the users integrity.

  4. KRB-AS-REP: Return TGT to user if authentication was successful

Server authentication via TGS:

  • KRB-TGS-REQ: user shows his TGT to the KDC in DC and requests Ticket Granting Service Ticket (TGS)

  • DC validates TGT and checks if the user from the TGT has the right permissions to access the issued service

  • If validation is successful, the KDC creates a TGS encrypted with the service key.

  • KRB-TGS-REP: KDC sends back encrypted TGS to user

  • KRB-AP-REP: users shows encrypted ticket to the service

  • If the service is able to decrypt the ticket with its own key, the authentication of the user is successful.

Benefits

  • Kerberos is able to separate credentials from the authentication requests

    • No passwords are transferred via internet

  • KDC does not save previous transactions

    • Assumption that user is authenticated as soon as they have a valid ticket in hand

Ressources

  • https://academy.hackthebox.com/module/74/

PreviousProtocolsNextGlossary of terms

Last updated 3 months ago

Was this helpful?