Active Directory Series – III
Part – III : Active Directory – Authentication
Kerberos Authentication Protocol
The Kerberos authentication protocol offers a robust and reliable solution to ensure secure access to network resources.
Kerberos, derived from the Greek word “κέρβερος” meaning “three-headed dog,” was originally developed at the Massachusetts Institute of Technology (MIT) in the 1980s.Kerberos has undergone several revisions and refinements, with the most widely used version being Kerberos V5.
Let’s break down the Kerberos authentication process into several steps:
Authentication Request: The user initiates the authentication process by sending a request to the AS, requesting access to a specific service.
AS Authentication: The AS validates the user’s credentials, and if successful, it issues a TGT encrypted with the user’s secret key.
TGS Request: The user presents the TGT to the Ticket Granting Server, along with a request for access to a specific service.
TGS Authentication: The TGS verifies the TGT’s authenticity and the user’s authorization for the requested service. If approved, it issues a service ticket (ST) encrypted with a session key.
Accessing the Service: The user sends the ST to the desired service. The service decrypts the ST using its own secret key and verifies the session key, granting access if everything checks out.
Session Key Usage: From this point on, the user and the service communicate using the session key for secure data exchange.
Kerberos tickets have a limited validity period, which is designed to balance security and usability. The validity period ensures that tickets are not valid indefinitely, reducing the risk associated with stolen or compromised tickets.
While Kerberos is a robust authentication protocol, it is not immune to various attacks that can compromise its security. Understanding these attacks is essential for effectively defending against them. Here are some common attacks against Kerberos
Kerberos Golden Ticket Attack: Attackers compromise a Key Distribution Center (KDC) and create forged TGTs, effectively granting them unrestricted access to resources.
Kerberos Silver Ticket Attack: Attackers create forged service tickets (STs) to access specific services without needing to authenticate to the TGS.
Kerberos user enumeration: When sending an authentication request (AS-REQ), an attacker can use the response from the KDC to determine whether a user exists or not. This allows attackers to effectively brute force usernames by using word lists
AS-REP roasting: AS-REP Roasting is a Kerberos attack in which attackers encrypt parts of an AS_REP message stolen from user accounts in order to crack them offline by attempting to crack the krb5asrep with appropriate inputs. If it is possible to decrypt the AS_REP into meaningful plain text, the key used corresponds to the user’s password.
Kerberoasting attack: Attempting to crack the passwords of service accounts within a network. This attack takes advantage of the fact that service account passwords, also known as Service Principal Names (SPNs), are often set to weak or predictable values, making them susceptible to brute force attacks.
Other frequent attacks include Brute Force, Password Spraying, DoS, MITM, and others.
Kerberos has the great advantage that it is much more secure than NTLM. However, there are a few things you should keep in mind when using Kerberos in order to create a secure AD environment.
We’ll explore another authentication method in depth in the upcoming part.
Part – III : Active Directory – Authentication Kerberos Authentication Protocol The Kerberos authentication protocol offers a robust and reliable solution to ensure secure access to network resources. Kerberos, derived from the Greek word “κέρβερος” meaning “three-headed dog,” was originally developed at the Massachusetts Institute of Technology (MIT) in the 1980s.Kerberos has undergone several revisions…