Kerberos

Kerberos is the default authentication protocol for any recent version of Windows.

[MS-KILE]: Kerberos Network Authentication Service (V5) SynopsisMicrosoftLearn

The general idea is that whenever a user wants to log into a service, they will be assigned a ticket. This ticket acts as a proof of previous authentication, which allows them to utilize a service by presenting it.

Kerberos authentication

Kerberos authentication involves 2 entities:

1. The user to authenticate

2. Key Distribution Center (KDC), a service usually installed on the Domain Controller

   • In charge of creating Kerberos tickets

Overview of important terms

1. Ticket Granting Ticket (TGT)

• a certain ticket that allows a user to request additional tickets (TGS) to access specific services without passing their credentials to the services themselves

1. Ticket Granting Service (TGS)

• tickets that only allow connection to specific service for which they are created

1. Service Principal Name (SPN)

• indicates the service and server name to access

1. Session Key

• returned by the KDC from the first TGT request

• required for the subsequent TGS request

1. Service Owner

• user or machine account under which a particular service runs

1. Service Session Key

• a copy of this key will be contained within the encrypted TGS

• it will be validated by the Service Owner (configured account running the service) when accessing that particular service

1. Service Owner Hash

• used to encrypt the TGS

1. krbtgt account

Accounts security posture assessment - Microsoft Defender for IdentityMicrosoftLearn

The krbtgt account in Active Directory is a built-in account used by the Kerberos authentication service. It encrypts and signs all Kerberos tickets, enabling secure authentication within the domain.

The process is as follows:

1. The user sends their username and a timestamp (encrypted using a key derived from their password) to the Key Distribution Center (KDC)

2. The KDC will create a Ticket Granting Ticket (TGT), and send this along with a Session Key back to the user

   • The TGT allows the user to request for service tickets (needed to access a particular service) without passing their credentials then next time they want to access a service

   • The Session Key is required for access to a service too (discussed in detail below)

1. The TGT is encrypted using the krbtgt account's password hash, and it contains a copy of the Session Key as part of its contents.

2. Every TGT is always for the service krbtgt/<domain>

1. When the user wants to connect to a service on the network (eg. database, share), they will make a request to the KDC with their username, timestamp encrypted with the Session Key, TGT and a Service Principal Name (SPN).

• The Session Key and TGT are retrieved from the previous requests

• The SPN indicates the server and server name to access

1. The KDC will create a Ticket Granting Service (TGS), and send this along with a Service Session Key back to the user

• The TGS is encrypted using a key derived from the Service Owner Hash

• The Service Owner is the user or machine account that the service runs with

Note that the TGS contains a copy of the Service Session Key in its encrypted content

1. Finally, the user can use the TGS to make a request to the desired service on the network

• The service will use its configured account's password hash to decrypt the TGS and validate the Service Session key

General overview

1

Request for Ticket Granting Ticker (TGT)

REQUEST

[User 🧑‍💻] : username, timestamp (encrypted w key derived from password)

--> | KDC 🖥|

RESPONSE

| KDC 🖥|: TGT, Session Key --> [User 🧑‍💻]

2

Request for Ticket Granting Service (TGS)

REQUEST

[User 🧑‍💻] : username, timestamp (encrypted w Session Key), TGT, SPN --> | KDC 🖥|

RESPONSE

| KDC 🖥| : TGS, service Session Key ---> [User 🧑‍💻]

3

User make a request to the desired service (eg. database)

REQUEST

[User 🧑‍💻] : TGS --> | DB🛢️|: validate the Service Session Key encrypted within the TGS

Active Directory BasicsTryHackMe