As our research team continues to find vulnerabilities in Microsoft that bypass all major NTLM protection mechanisms, we start to wonder about the successor protocol that replaced NTLM in Windows versions above Windows 2000.
Enter Kerberos. Every child who grew up playing Dungeons and Dragons learned about the mythical creature of Kerberos (also known as Cerberus in Ancient Greek mythology) - a three headed dog who guards the gates of Hell and prevents dead souls from returning to the world of the living.
While that memory is nostalgic, most security professionals know Kerberos as a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.
While this protocol is now commonplace, we need to ask ourselves: How well do we really know Kerberos?
My experience is that while some are absolute subject matter experts on kerberos, the majority of IT professionals have a murkier understanding of Kerberos.
To test your knowledge: I’ve pulled together 10 facts to help you get a better understanding of Kerberos. For those of you who are experts in Kerberos, you can go ahead and confirm your expertise below!
- Who actually invented Kerberos and when? Kerberos is a stateless network protocol developed by MIT and considered as licensed for distribution and modification. Kerberos started as part of Athina (another mythology reference!) project in 1979, aimed at protecting MIT computer networks.
- What makes Kerberos so special? Kerberos uses secret-key cryptography to provide secure communication over non-secure channels. Essentially, Kerberos is a trusted 3rd party server that issues tickets for users so they can authenticate to systems and services.
- Which Kerberos feature made it so valuable for organizations? Although it may seem strange and perhaps somewhat naive, it became valuable because the implementation for Microsoft and Mac devices used DES encryption.
- What is a Kerberos ticket, in a nutshell? Kerberos uses tickets to authenticate and grant access. Tickets created by a ticket granting server (TGS) are trusted by authentication server, to a specific service or endpoint requested by an account. Ticket serves as a proof of (your) identity and is always encrypted with a secret key. As long as your Kerberos ticket is valid, you will get access to the system or service.
- Is it a pure single-side client server model or can it be used for mutual identity verification ? Yes and yes. It is a mutual handshake where the client and server can verify each other’s identities. They accomplish this by using the encryption of timestamp with joint session key or via challenge/response that was introduced in 2005 to solve associated vulnerabilities.
- When did Microsoft officially adopted Kerberos as default authentication protocol? In year 2000: Seven years after MIT released its first Microsoft implementation. Microsoft is now using their own implementation of Kerberos rather than MIT’s original version. Your guess is as good as mine as to what goes into Microsoft’s secret sauce.
- What is a “Pass the Ticket” attack? Attackers can use tools such as Mimikatz and Windows Credential Editor to mine Kerberos tickets from compromised user endpoints or from authorization servers. Once the hacker gets a hold of these tickets, they can laterally move around the network to see privileges and harvest information that can help them gain access to critical systems.
- What about ‘Golden Ticket’ - is that a VIP pass? Yes - you now can go to the Chocolate Factory! Jokes aside: this is called a ‘Golden Ticket’ because you are granted indefinite creation of a Kerberos generating ticket which is usually hard coded to grant access for 10 years by default (modified if you want).
- Are encryption keys kept unencrypted in memory during protocol use? Yes, that is a fact. Try not to think about this too much; my grandmother always claims ignorance is bliss.
- If Kerberos is supposed to be secure and widely trusted, do I still have to use strong passwords? Passwords are, unfortunately, here to stay as they are used to encrypt the certificates. Failing to use strong passwords will allow for a bruteforce attack.
Ok...for the mega-Kerberos fanatic, lets add a bonus question:
- What happens if the Kerberos authentication server is down? The authentication system will be out of service. This is one of the things that makes them so attractive and the reason behind why there are so many in each deployment.
I hope these fun facts helped you learn a bit more about Kerberos - the replacement protocol for NTLM. While it is not perfect, it is a much safer authentication protocol than NTLM and we encourage you to try to reduce the usage of NTLM in your network.
Curious about what protocols are being used in your network? Try out Preempt Lite for free to quickly discover what is going on in your environment!