Kerberos – The What, How and Why?

Kerberos – The What, How and Why?

TL;DR

  • Kerberos is a robust network authentication protocol that uses secret-key cryptography to verify users and services in a secure manner.
  • Major components include:
    • Key Distribution Center (KDC) consisting of Authentication Service (AS) and Ticket Granting Service (TGS)
    • Service
    • Ticket Granting Ticket (TGT).
  • The authentication flow involves the client obtaining a TGT from the Authentication Service (AS), using it to request service tickets from the TGS, and then accessing network services.
  • Kerberos provides advantages over NTLM and LDAP by offering stronger security, scalability, and true single sign-on (SSO).

Intro

In our previous blog, we covered what Active Directory is and its functions. In this post, we will step foot into the world of Kerberos, a powerful network authentication protocol used in Active Directory. We’ll cover what Kerberos is, how it works, and its major components. Additionally, we’ll explain the need for Kerberos, highlighting why it is a crucial implementation for secure network authentication. Understanding Kerberos is essential for security professionals as many attacks abuse concepts related to this protocol. By the end of this article, you’ll have a comprehensive understanding of Kerberos and its role in Active Directory.

What is Kerberos

Kerberos is a centralized authentication protocol designed to provide strong security for client-server applications. Developed by MIT, it uses secret-key cryptography to authenticate users and services on a network, ensuring that data remains secure and confidential.

Major Components of Kerberos

Kerberos authentication involves several key components that work together to ensure secure and reliable authentication:

  1. Key Distribution Center (KDC)

The KDC is the core component of the Kerberos authentication protocol. It consists of two main services:

    • Authentication Service (AS)

Validates the credentials of users and issues Ticket Granting Tickets (TGT).

    • Ticket Granting Service (TGS)

Issues service tickets based on the TGT for access to specific network resources.

2. Client

The user or application requesting access to a service.

3. Service

The service that the client wants to access.

How Kerberos Works

Important Contents in Requests/Responses

The responses from KDC and Service in Kerberos authentication contain several important elements:

  1. Session Key: A temporary encryption key used for secure communication between the client and the service.
  2. Ticket Granting Ticket (TGT): A ticket that allows the client to request service tickets from the TGS.
  3. TGS Service Ticket: A ticket that allows the client to authenticate to a specific service on the network.
  4. Privilege Attribute Certificate (PAC): Authorization data within the service ticket containing user and group information for access control decisions.
  5. Timestamp: Used to prevent replay attacks by ensuring that the tickets are used within a specific timeframe.
  6. KRBTGT: Default service account of KDC in Domain Controllers.
  7. Service Principal Name (SPN): Indicates the service and server name the client intends to access.

Authentication Flow

  1. Initial Authentication Request
    • The client sends an authentication request to the AS.
    • This request includes the client’s username and a timestamp encrypted using the client’s password hash.
  1. AS Response – Ticket Granting Ticket (TGT)
    • The AS validates the user’s credentials and, if valid, generates a TGT and a session key. The TGT is encrypted using the password hash of KRBTGT account and sent back to the client.
  1. Service Request with TGT
    • When the client wants to access a specific service, for example a share, it sends a request to the TGS.
    • This includes the client’s username, a timestamp encrypted using the session key, along with the TGT and SPN.
  1. TGS Response – Service Ticket
    • The TGS decrypts the TGT, verifies it, and generates a service ticket along with a service session key for the requested service. These are then sent to the client.
    • The TGS service ticket is encrypted using the service owner’s password hash so that the service owner can access it by decrypting the TGS service ticket.
    • The service owner is the user or machine account that the service runs under.
  1. Access Request to the Service
    • The client presents the TGS service ticket to the service requesting for access.

6. Granting Access

    • The service then decrypts the service ticket using the service owner’s password hash, verifies and grants access.

7. PAC Validation

    • Privilege Attribute Certificate (PAC) contains user’s group memberships, privileges, and delegation information. The Service validates the PAC included in the service ticket to determine the user’s permissions and access rights.
    • This validation happens only when the TGT is older than 20 minutes.

The Role of TGT and TGS in Kerberos Authentication

The Ticket Granting Ticket (TGT) and the Ticket Granting Service (TGS) are crucial components of the Kerberos authentication process:

  • Ticket Granting Ticket (TGT)

The TGT is issued by the AS after the user’s initial authentication. It serves as proof that the user has been authenticated and allows the user to request service tickets from the TGS without having to re-authenticate. This ticket simplifies the process and improves security by minimizing the number of times a user’s credentials are transmitted over the network.

  • Ticket Granting Service (TGS)

The TGS is a part of the KDC that issues service tickets based on the TGT presented by the client. The TGS verifies the TGT and, if valid, provides a service ticket that the client can use to access the desired service.

The need for a ticket to get more tickets may sound a bit weird but this mechanism ensures that the user’s credentials are not repeatedly sent over the network and that each service access request is independently authenticated and authorized.

Why Kerberos When NTLM and LDAP Exist?

NTLM (NT LAN Manager)

NTLM is an older authentication protocol used in Windows environments. While NTLM is still supported for backward compatibility, it has several limitations:

  • Security: NTLM is less secure compared to Kerberos. It uses a challenge-response mechanism that can be vulnerable to certain types of attacks, such as pass-the-hash.
  • Scalability: NTLM does not handle the scalability and performance requirements of modern enterprise environments as efficiently as Kerberos.
  • Single Sign-On (SSO): NTLM does not support true single sign-on (SSO) across multiple systems and services, which Kerberos handles more effectively.

LDAP (Lightweight Directory Access Protocol)

LDAP is a protocol used to access and manage directory information. While it can be used for authentication, it primarily focuses on querying and modifying directory services. LDAP alone is not sufficient for comprehensive authentication due to the following reasons:

  • Lack of Strong Authentication: LDAP by itself does not provide strong authentication mechanisms like Kerberos. It relies on binding mechanisms that are less secure.
  • No Ticket-Based Authentication: LDAP does not use a ticket-based system, making it less efficient for SSO scenarios and repeated authentications across multiple services.
  • Authorization and Delegation: LDAP does not inherently handle authorization and delegation as effectively as Kerberos, which includes PAC for detailed access control.

Conclusion

With a solid understanding of Kerberos and its authentication mechanisms from this post, combined with the foundational knowledge of Active Directory from our previous blog post, you are now well-prepared to learn further about widely used Active Directory attack techniques. In our next series of posts, we will guide you through some of the common issues faced when joining a Kali machine to Active Directory and explore different attacks on Active Directory. Stay tuned!

Copyright © 2024 Clear Infosec. All Rights Reserved.