Kerberos Protocol
Status: Scaffold — content in progress
Kerberos v5 is the primary authentication protocol in Active Directory since Windows 2000. Understanding the ticket lifecycle is essential for understanding Kerberoasting, Golden Tickets, Silver Tickets, Pass-the-Ticket, and unconstrained delegation attacks.
Protocol Flow
Client KDC (AS) KDC (TGS) Service
│ │ │ │
│── AS-REQ (username) ──>│ │ │
│<─ AS-REP (TGT) ────────│ │ │
│ │ │ │
│── TGS-REQ (TGT + SPN) ───────────────────────>│ │
│<─ TGS-REP (Service Ticket) ────────────────────│ │
│ │ │ │
│── AP-REQ (Service Ticket) ──────────────────────────────────────────>│
│<─ AP-REP (session key) ──────────────────────────────────────────────│
Step 1 — AS Exchange (Get TGT)
- Client sends AS-REQ with username and pre-authentication data (timestamp encrypted with user's key)
- KDC validates pre-auth, returns AS-REP containing the TGT (Ticket Granting Ticket)
- TGT is encrypted with the
krbtgtaccount's NTLM hash — only the KDC can decrypt it
Step 2 — TGS Exchange (Get Service Ticket)
- Client presents TGT to TGS with the target SPN (Service Principal Name)
- TGS returns a Service Ticket encrypted with the service account's NTLM hash
- Client can now authenticate to the service
Step 3 — AP Exchange
- Client presents Service Ticket to the target service
- Service decrypts it using its own key, verifies the client's identity
Critical Security Details
| Detail | Security Implication |
|---|---|
TGT encrypted with krbtgt hash | Compromise krbtgt = forge any TGT (Golden Ticket) |
| Service ticket encrypted with service account hash | Crack the hash offline = Kerberoasting |
| TGT lifetime: 10 hours default | Short-lived, but forged Golden Tickets can have arbitrary lifetimes |
| Pre-authentication disabled for some accounts | AS-REP Roasting — can request TGT without knowing password |
| PAC (Privilege Attribute Certificate) | Contains group memberships — can be forged in Golden Ticket |
Encryption Types
| Etype | Algorithm | Notes |
|---|---|---|
| 17 | AES-128-CTS-HMAC-SHA1-96 | Current default |
| 18 | AES-256-CTS-HMAC-SHA1-96 | Current default (stronger) |
| 23 | RC4-HMAC | Legacy; == NTLM hash — easier to crack |
Kerberoasting targets etype 23 (RC4) because the resulting hash is an NT hash, crackable with hashcat.
Delegation Models
| Type | How it works | Risk |
|---|---|---|
| Unconstrained | Service gets copy of user's TGT | Any service ticket from a user includes their TGT — attacker on this server can steal TGTs from all incoming authentications |
| Constrained (KCD) | Service can impersonate user only to specific targets | Lower risk, but still abusable via msDS-AllowedToDelegateTo |
| Resource-Based Constrained (RBCD) | Target service controls who can delegate to it | Attacker with write access to msDS-AllowedToActOnBehalfOfOtherIdentity can create delegation path |
Telemetry
| Event ID | Description |
|---|---|
| 4768 | Kerberos Authentication Ticket (TGT) request |
| 4769 | Kerberos Service Ticket request |
| 4770 | Kerberos Service Ticket renewal |
| 4771 | Kerberos pre-auth failed |
Cross-Links
| Topic | Link |
|---|---|
| Kerberoasting | kerberoasting |
| AS-REP Roasting | asrep-roasting |
| Golden Ticket | golden-ticket |
| Pass-the-Ticket | pass-the-ticket |