Ready to learn?

Kerberos

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—›๐—ผ๐˜„ ๐—ž๐—ฒ๐—ฟ๐—ฏ๐—ฒ๐—ฟ๐—ผ๐˜€ ๐—ช๐—ผ๐—ฟ๐—ธ๐˜€ โ€” ๐—ถ๐—ป ๐˜€๐—ถ๐—บ๐—ฝ๐—น๐—ฒ ๐˜„๐—ผ๐—ฟ๐—ฑ๐˜€.

If youโ€™re managing Windows environments, you need to really understand Kerberos. Because without it, you are not fully aware of the ways to protect Kerberos authentication protocol and thus your environment.

๐—” ๐—ณ๐—ฒ๐˜„ ๐—พ๐˜‚๐—ถ๐—ฐ๐—ธ ๐—ณ๐—ฎ๐—ฐ๐˜๐˜€:
โžก๏ธ You canโ€™t use IP addresses by default.
โžก๏ธ Thereโ€™s a dangerous attack called Kerberoasting.
โžก๏ธ Multiple encryption steps happen silently in the background.

Kerberos comes from Cerberus โ€” the ๐˜๐—ต๐—ฟ๐—ฒ๐—ฒ-๐—ต๐—ฒ๐—ฎ๐—ฑ๐—ฒ๐—ฑ ๐—ฑ๐—ผ๐—ด from Greek mythology.

๐—ช๐—ต๐˜†? ๐—•๐—ฒ๐—ฐ๐—ฎ๐˜‚๐˜€๐—ฒ ๐—ž๐—ฒ๐—ฟ๐—ฏ๐—ฒ๐—ฟ๐—ผ๐˜€ ๐˜‚๐˜€๐—ฒ๐˜€ ๐—ฎ ๐˜๐—ต๐—ฟ๐—ฒ๐—ฒ-๐˜„๐—ฎ๐˜† ๐˜๐—ฟ๐˜‚๐˜€๐˜:
๐Ÿ‘ค The Client
๐Ÿ›๏ธ The Key Distribution Center (KDC)(DC)
๐Ÿ› ๏ธ The Target Service

Hereโ€™s the full handshake:
1๏ธโƒฃ Login โ€“ You enter your credentials. Thatโ€™s a KRB_AS_REQ โ†’ request for a TGT (Ticket Granting Ticket).
2๏ธโƒฃ KDC validates your identity and returns the TGT in a KRB_AS_REP.
Youโ€™re authenticated, but not authorized yet.
Think of it like scanning your Costco card โ€” you’re in the store, but you havenโ€™t bought anything yet.
3๏ธโƒฃ Now you want to access a service โ†’ You request a TGS ticket with KRB_TGS_REQ.
4๏ธโƒฃ KDC sends it back โ†’ KRB_TGS_REP.
5๏ธโƒฃ You present the TGS to the service.
6๏ธโƒฃ If everything checks out, access is granted.

But ๐—ต๐—ผ๐˜„ does it actually work?
Because parts of these tickets are ๐—ฒ๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐—ฒ๐—ฑ ๐˜‚๐˜€๐—ถ๐—ป๐—ด ๐˜๐—ต๐—ฒ ๐—ฝ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ-๐—ฑ๐—ฒ๐—ฟ๐—ถ๐˜ƒ๐—ฒ๐—ฑ ๐—ธ๐—ฒ๐˜†๐˜€ of the parties involved.

For example:
When you authenticate, your system ๐—ฒ๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐˜€ ๐—ฎ ๐˜๐—ถ๐—บ๐—ฒ๐˜€๐˜๐—ฎ๐—บ๐—ฝ as a part of the request for TGT using ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ฝ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ-derived key.
The KDC tries to decrypt it using your actual ๐—ฝ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ ๐—ณ๐—ฟ๐—ผ๐—บ ๐—”๐——
โžก๏ธ If it works, youโ€™re legit.

When accessing a service, the TGS includes a part that ๐—ผ๐—ป๐—น๐˜† ๐˜๐—ต๐—ฒ ๐˜€๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ ๐—ฐ๐—ฎ๐—ป ๐—ฑ๐—ฒ๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜ using its own password.
โžก๏ธ If it can decrypt it, it trusts you โ€” because ๐—ถ๐˜ ๐˜๐—ฟ๐˜‚๐˜€๐˜๐˜€ ๐˜๐—ต๐—ฒ ๐—ž๐——๐—– that issued it.

Thatโ€™s the magic of Kerberos โ€” ๐—ฑ๐—ฒ๐—น๐—ฒ๐—ด๐—ฎ๐˜๐—ฒ๐—ฑ ๐˜๐—ฟ๐˜‚๐˜€๐˜ ๐˜„๐—ถ๐˜๐—ต๐—ผ๐˜‚๐˜ ๐—ฑ๐—ถ๐—ฟ๐—ฒ๐—ฐ๐˜ ๐—ฐ๐—ผ๐—บ๐—บ๐˜‚๐—ป๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป.

Interesting, right?
โš™๏ธ If you want to dive deeper into the protocol, attacks like Kerberoasting, and real-world tips โ€” I created a ๐—ณ๐—ฟ๐—ฒ๐—ฒ ๐—ฐ๐—ผ๐˜‚๐—ฟ๐˜€๐—ฒ ๐—ผ๐—ป ๐—ž๐—ฒ๐—ฟ๐—ฏ๐—ฒ๐—ฟ๐—ผ๐˜€ ๐—ถ๐—ป ๐—บ๐˜† ๐—”๐—ฐ๐—ฎ๐—ฑ๐—ฒ๐—บ๐˜†:

https://academy.horizon-secured.com/p/windows-infrastructure-security-kerberos

Next time I will explain the attack – ๐—ž๐—ฒ๐—ฟ๐—ฏ๐—ฒ๐—ฟ๐—ผ๐—ฎ๐˜€๐˜๐—ถ๐—ป๐—ด.

buy a course