SlideShare a Scribd company logo

Kerberos explained

Download as PPTX, PDF
Dotan Patrich, profile picture
Dotan Patrich

The document discusses the Kerberos authentication protocol. It describes Kerberos as a protocol that uses tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It also summarizes how Kerberos works, the events it generates, and some of its advanced features like single sign-on, delegation, and cross-domain authentication.

Software
1 of 25
Downloaded 135 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Kerberos Explained DOTAN PATRICH
Who's on First? How can Abbot authenticate that Costello is talking? How can Abbot make sure that Costello is on First?
Kerberos the three-headed dog Authentication protocol named after a mythical three-headed dog: ◦ Key Distribution Center (KDC) ◦ The client user ◦ The accessed server Came out of MIT Adopted by MS AD to replace NTLM (and failed to do so)
How does it work?
How does it work? User login by entering username and password
How does it work?
How does it work? KDC contacts AD to authenticate the user and gather all groups he posses
How does it work?
How does it work? Windows Security Event 4768 event logged for the user from source ip
How does it work? Windows Security Event 4768 event logged for the user from source ip Client machine caches the TGT This is done once per session (until TGT expiration)
How does it work? Now the user wants to access server B
How does it work?
How does it work? KDC validate the request (check encryption validity)
How does it work?
How does it work? Windows Security Event 4769 event logged for the user from source ip to computer B
How does it work?
How does it work? Validate the ticket authenticity: decrypt the service ticket with computer B ticket
So what’s new? Scalable ◦ Servers do not need to contact KDC to authenticate users ◦ Only users and machine account authenticate with the KDC, once per 10h of activity Secure ◦ Passwords are not sent over the wire ◦ Ticket based authentication based on certificates trusts Advanced Features ◦ Single Sign-On ◦ Delegation ◦ Cross Domain Authentication
Wait, machines need to authenticate? Yes!! ◦ Need to ensure that a Service Ticket is addressed and used only by the destination computer ◦ The Service Ticket is encrypted by the machine account session key (shared with the KDC) ◦ Only the target machine can validate the Service Ticket ◦ This is why we see 4768 events and 4769 events for the machine account!
4769 events with source=target When a user logins to a local computer, a session is created for him: ◦ It doesn’t matter if it is a remote session, or local interactive session ◦ In both cases, the computer needs to know the user’s credentials (group membership and SID) ◦ It uses a Service Ticket addressed to the local computer to do so ◦ Works the same as if we contacted a remote servers ◦ This is why we get a 4769 event with source equals to target after each login
4769 with target equals domain controller? After each login, the computer needs to pull Group Policy from AD: ◦ Need to access the AD domain controller and pull the policy ◦ To do so, we need to authenticate with the domain controller ◦ Authentication is done using Kerberos, just like any server access ◦ This is why we get a 4769 event with target equals to a domain controller after each login
So, what events are logged ? Event Type Account Source Destination 4768 Machine B Machine B 4768 Machine C Machine C 4768 User A Machine B 4769 User A Machine B Machine B 4769 User A Machine B Domain Controller 4769 User A Machine B Machine C Time
Delegation A mechanism to authenticate on behalf of the user to 3rd party resources Machine and account doing the delegation need to be trusted by AD Used by most Windows based web servers (i.e. SharePoint, Sites backed by SQL Server) User authenticate with the web server Service Ticket passed to the SQL server Source ip is the web server! 4769 event logged, with delegated flag set to true (ticket options field)
Cross Domain Authentication ◦ The client first authenticate with the local domain, asking for a referral ticket ◦ The referral ticket is encrypted by a inter-domain key ◦ The client sends the referral ticket to the remote domain ◦ The remote domain issues a Service Ticket granting access to the remote server
Interesting Windows Security Events

More Related Content

PPTX
Kerberos Authentication Protocol
Bibek Subedi
 
PPTX
Kerberos protocol
Ajit Dadresa
 
PPTX
Kerberos
Sutanu Paul
 
PDF
Kerberos
Sparkbit
 
PPTX
Kerberos
Rahul Pundir
 
PPT
Email Security : PGP & SMIME
Rohit Soni
 
PPTX
Trusted Platform Module (TPM)
k33a
 
PDF
Block Ciphers and the Data Encryption Standard
Dr.Florence Dayana
 
Kerberos Authentication Protocol
Bibek Subedi
 
Kerberos protocol
Ajit Dadresa
 
Kerberos
Sutanu Paul
 
Kerberos
Sparkbit
 
Kerberos
Rahul Pundir
 
Email Security : PGP & SMIME
Rohit Soni
 
Trusted Platform Module (TPM)
k33a
 
Block Ciphers and the Data Encryption Standard
Dr.Florence Dayana
 

What's hot (20)

PPTX
Kerberos
RafatSamreen
 
PDF
Nmap basics
itmind4u
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
PPT
Fundamentals of cryptography
Hossain Md Shakhawat
 
PPTX
Cryptography
Jens Patel
 
PPTX
Cryptography.ppt
Uday Meena
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
PPTX
Cryptography and Information Security
Dr Naim R Kidwai
 
PPT
Cryptography
gueste4c97e
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PPTX
Public-Key Cryptography.pptx
AbdulRehman970300
 
PDF
Harnessing the Power of AI in AWS Pentesting.pdf
Mike Felch
 
PPTX
Kerberos authentication
Suraj Singh
 
PPTX
Kerberos
Sudeep Shouche
 
PPTX
Public Key Cryptography
Gopal Sakarkar
 
PPTX
RSA Algorithm
Srinadh Muvva
 
PPTX
Understanding NMAP
Phannarith Ou, G-CISO
 
PPT
Design and Simulation Triple-DES
chatsiri
 
PPTX
Block Cipher and Operation Modes
SHUBHA CHATURVEDI
 
PPTX
Diffie Hellman Key Exchange
SAURABHDHAGE6
 
Kerberos
RafatSamreen
 
Nmap basics
itmind4u
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Fundamentals of cryptography
Hossain Md Shakhawat
 
Cryptography
Jens Patel
 
Cryptography.ppt
Uday Meena
 
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Cryptography and Information Security
Dr Naim R Kidwai
 
Cryptography
gueste4c97e
 
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Public-Key Cryptography.pptx
AbdulRehman970300
 
Harnessing the Power of AI in AWS Pentesting.pdf
Mike Felch
 
Kerberos authentication
Suraj Singh
 
Kerberos
Sudeep Shouche
 
Public Key Cryptography
Gopal Sakarkar
 
RSA Algorithm
Srinadh Muvva
 
Understanding NMAP
Phannarith Ou, G-CISO
 
Design and Simulation Triple-DES
chatsiri
 
Block Cipher and Operation Modes
SHUBHA CHATURVEDI
 
Diffie Hellman Key Exchange
SAURABHDHAGE6
 
Ad

Viewers also liked (16)

PPTX
Kerberos : An Authentication Application
Vidulatiwari
 
PPTX
kerberos
sameer farooq
 
PDF
Kerberos presentation
Chris Geier
 
RTF
Kerberos case study
Mayuri Patil
 
PPT
Kerberos
Prafull Johri
 
PPTX
Kerberos survival guide-STL 2015
J.D. Wade
 
PPTX
Golden ticket, pass the ticket mi tm kerberos attacks explained
Peter Swedin
 
PPTX
Ids & ips
Lan & Wan Solutions
 
PPTX
Kerberos, Token and Hadoop
Kai Zheng
 
PDF
IDS/IPS security
Clarejenson
 
PDF
An Introduction to Kerberos
Shumon Huque
 
PPTX
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
PPTX
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
PDF
Kerberos Protocol
Netwax Lab
 
PDF
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
PPT
IDS and IPS
Santosh Khadsare
 
Kerberos : An Authentication Application
Vidulatiwari
 
kerberos
sameer farooq
 
Kerberos presentation
Chris Geier
 
Kerberos case study
Mayuri Patil
 
Kerberos
Prafull Johri
 
Kerberos survival guide-STL 2015
J.D. Wade
 
Golden ticket, pass the ticket mi tm kerberos attacks explained
Peter Swedin
 
Ids & ips
Lan & Wan Solutions
 
Kerberos, Token and Hadoop
Kai Zheng
 
IDS/IPS security
Clarejenson
 
An Introduction to Kerberos
Shumon Huque
 
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
Kerberos Protocol
Netwax Lab
 
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
IDS and IPS
Santosh Khadsare
 
Ad

Similar to Kerberos explained (20)

PDF
Active Directory Golden Ticket Attack Detection
IRJET Journal
 
PDF
Kerberos survival guide
J.D. Wade
 
PDF
Null talk
Agam Jain
 
PPTX
Kerberos survival guide SPS Kansas City
J.D. Wade
 
PDF
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
PPTX
Kerberos Survival Guide: SharePointalooza
J.D. Wade
 
PPTX
Kerberos Survival Guide: Columbus 2015
J.D. Wade
 
PPTX
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
PPTX
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
PPTX
SharePoint Saturday Kansas City - Kerberos Survival Guide
J.D. Wade
 
PDF
Technet.microsoft.com
Kurt Kort
 
PPTX
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group
 
PPTX
Kerberos survival guide - SPS Ozarks 2010
J.D. Wade
 
PPTX
Rakesh raj
DBNCOET
 
PPTX
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
PPTX
Kerberos Authentication Process In Windows
niteshitimpulse
 
PPTX
Crypto passport authentication
Harry Potter
 
PPTX
Crypto passport authentication
David Hoen
 
PPTX
Crypto passport authentication
Tony Nguyen
 
PPTX
Crypto passport authentication
Young Alista
 
Active Directory Golden Ticket Attack Detection
IRJET Journal
 
Kerberos survival guide
J.D. Wade
 
Null talk
Agam Jain
 
Kerberos survival guide SPS Kansas City
J.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Kerberos Survival Guide: SharePointalooza
J.D. Wade
 
Kerberos Survival Guide: Columbus 2015
J.D. Wade
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
J.D. Wade
 
Technet.microsoft.com
Kurt Kort
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group
 
Kerberos survival guide - SPS Ozarks 2010
J.D. Wade
 
Rakesh raj
DBNCOET
 
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Kerberos Authentication Process In Windows
niteshitimpulse
 
Crypto passport authentication
Harry Potter
 
Crypto passport authentication
David Hoen
 
Crypto passport authentication
Tony Nguyen
 
Crypto passport authentication
Young Alista
 

Recently uploaded (20)

PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
assetexplorer- product-overview - presentation
nonameist3434
 
Nekopoi APK 2025 free lastest update
umarali35kp
 

Kerberos explained

  • 2. Who's on First? How can Abbot authenticate that Costello is talking? How can Abbot make sure that Costello is on First?
  • 3. Kerberos the three-headed dog Authentication protocol named after a mythical three-headed dog: ◦ Key Distribution Center (KDC) ◦ The client user ◦ The accessed server Came out of MIT Adopted by MS AD to replace NTLM (and failed to do so)
  • 4. How does it work?
  • 5. How does it work? User login by entering username and password
  • 6. How does it work?
  • 7. How does it work? KDC contacts AD to authenticate the user and gather all groups he posses
  • 8. How does it work?
  • 9. How does it work? Windows Security Event 4768 event logged for the user from source ip
  • 10. How does it work? Windows Security Event 4768 event logged for the user from source ip Client machine caches the TGT This is done once per session (until TGT expiration)
  • 11. How does it work? Now the user wants to access server B
  • 12. How does it work?
  • 13. How does it work? KDC validate the request (check encryption validity)
  • 14. How does it work?
  • 15. How does it work? Windows Security Event 4769 event logged for the user from source ip to computer B
  • 16. How does it work?
  • 17. How does it work? Validate the ticket authenticity: decrypt the service ticket with computer B ticket
  • 18. So what’s new? Scalable ◦ Servers do not need to contact KDC to authenticate users ◦ Only users and machine account authenticate with the KDC, once per 10h of activity Secure ◦ Passwords are not sent over the wire ◦ Ticket based authentication based on certificates trusts Advanced Features ◦ Single Sign-On ◦ Delegation ◦ Cross Domain Authentication
  • 19. Wait, machines need to authenticate? Yes!! ◦ Need to ensure that a Service Ticket is addressed and used only by the destination computer ◦ The Service Ticket is encrypted by the machine account session key (shared with the KDC) ◦ Only the target machine can validate the Service Ticket ◦ This is why we see 4768 events and 4769 events for the machine account!
  • 20. 4769 events with source=target When a user logins to a local computer, a session is created for him: ◦ It doesn’t matter if it is a remote session, or local interactive session ◦ In both cases, the computer needs to know the user’s credentials (group membership and SID) ◦ It uses a Service Ticket addressed to the local computer to do so ◦ Works the same as if we contacted a remote servers ◦ This is why we get a 4769 event with source equals to target after each login
  • 21. 4769 with target equals domain controller? After each login, the computer needs to pull Group Policy from AD: ◦ Need to access the AD domain controller and pull the policy ◦ To do so, we need to authenticate with the domain controller ◦ Authentication is done using Kerberos, just like any server access ◦ This is why we get a 4769 event with target equals to a domain controller after each login
  • 22. So, what events are logged ? Event Type Account Source Destination 4768 Machine B Machine B 4768 Machine C Machine C 4768 User A Machine B 4769 User A Machine B Machine B 4769 User A Machine B Domain Controller 4769 User A Machine B Machine C Time
  • 23. Delegation A mechanism to authenticate on behalf of the user to 3rd party resources Machine and account doing the delegation need to be trusted by AD Used by most Windows based web servers (i.e. SharePoint, Sites backed by SQL Server) User authenticate with the web server Service Ticket passed to the SQL server Source ip is the web server! 4769 event logged, with delegated flag set to true (ticket options field)
  • 24. Cross Domain Authentication ◦ The client first authenticate with the local domain, asking for a referral ticket ◦ The referral ticket is encrypted by a inter-domain key ◦ The client sends the referral ticket to the remote domain ◦ The remote domain issues a Service Ticket granting access to the remote server