AD Authentication: Kerberos and NTLM

After this lesson, you will be able to: Walk the Kerberos authentication flow (AS-REQ, AS-REP, TGT, TGS, service tickets) and explain where NTLM falls back, the basis for AD attacks.

AD attacks target authentication, so you must understand it first. This lesson walks the Kerberos protocol step by step and explains NTLM as the legacy fallback, setting up the attack techniques in the next lesson.

Prerequisites:Active Directory: The Enterprise Attack Surface (intro)

Kerberos: tickets, not passwords

Kerberos authenticates without sending passwords across the network by using tickets. The Key Distribution Center (KDC, running on the domain controller) issues tickets that prove identity. The two phases: first you obtain a Ticket Granting Ticket (TGT) that proves who you are; then you exchange the TGT for service tickets (TGS) that grant access to specific services. Tickets are time-limited and encrypted with keys derived from account passwords, which is exactly what several attacks abuse.

The Kerberos flow

From login to accessing a service.

1
1. AS-REQ: the client asks the KDC for a TGT, proving knowledge of its password (pre-authentication).
2
2. AS-REP: the KDC returns a TGT encrypted with the krbtgt account's key, plus a session key.
3
3. TGS-REQ: to use a service, the client presents the TGT and requests a service ticket for that service (SPN).
4
4. TGS-REP: the KDC returns a service ticket encrypted with the target service account's key.
5
5. AP-REQ: the client presents the service ticket to the service, which decrypts it and grants access. No password ever crosses the wire.

Where the attacks hide in this flow

Each step has an abuse case you will see next lesson. Service tickets are encrypted with the service account's password hash, so an attacker who requests one can crack it offline (Kerberoasting). Accounts without pre-authentication leak crackable material in AS-REP (AS-REP Roasting). A stolen TGT can be reused (Pass-the-Ticket). And the krbtgt key, if stolen, lets an attacker forge any TGT (Golden Ticket). The protocol is sound; weak service-account passwords and stolen keys are the problem.

NTLM: the legacy fallback

NTLM is the older challenge-response authentication that Windows still falls back to (for example, when connecting by IP instead of hostname, or with legacy systems). It is weaker than Kerberos and central to Pass-the-Hash: because NTLM authentication can be performed with the password hash rather than the plaintext, an attacker who steals a hash can authenticate as that user without ever cracking it. Disabling NTLM where possible is a key hardening step.

Quick Check

Why can an attacker who requests a Kerberos service ticket attempt to crack it offline (Kerberoasting)?

Pick one.

The service ticket is encrypted with the service account's password-derived key, so a weak service-account password can be cracked offlineService tickets contain the plaintext passwordKerberos sends passwords over the networkThe KDC emails the password to the client

Common mistakes only experienced practitioners catch

Treating Kerberos as unbreakable rather than abusable via weak passwords and stolen keys. Forgetting NTLM fallback exists and enables Pass-the-Hash. Confusing the TGT (proves identity) with a service ticket (grants a service). Not realizing service accounts with weak passwords are the Kerberoasting jackpot. Ignoring the krbtgt account, whose compromise is catastrophic (Golden Ticket).

←Active Directory: The Enterprise Attack Surface

Back to Active Directory and Windows Security

Common AD Attack Techniques→