Kerberos is a network authentication protocol designed to provide strong mutual authentication between clients and services over an insecure network. Developed at MIT, it is the default authentication mechanism in Microsoft Active Directory environments and is widely used across enterprise infrastructure.
How It Works
Kerberos relies on a trusted third party called the Key Distribution Center (KDC), which consists of two components: the Authentication Server (AS) and the Ticket Granting Server (TGS). The protocol uses symmetric-key cryptography and time-sensitive tickets to authenticate users without transmitting passwords over the network.
When a user logs in, their client sends an authentication request to the AS. The AS verifies the user's credentials and returns a Ticket Granting Ticket (TGT), encrypted with the TGS's secret key. The client cannot read the TGT but stores it for future use. When the user needs to access a specific service, the client presents the TGT to the TGS and requests a service ticket. The TGS validates the TGT and issues a service ticket encrypted with the target service's secret key. The client then presents this service ticket to the service, which decrypts it and grants access.
All tickets have expiration times, and the protocol relies on synchronized clocks across the network. This time-based validation prevents replay attacks, where an adversary captures and re-sends valid authentication messages.
Common Attacks
Several well-known attacks target Kerberos. Kerberoasting extracts service tickets and cracks them offline to recover service account passwords. AS-REP roasting targets accounts that do not require pre-authentication. Golden ticket attacks use a compromised KDC key to forge TGTs, granting unlimited domain access. Silver ticket attacks forge service tickets for specific services. Pass-the-ticket attacks steal and reuse valid tickets from memory.
Why It Matters
Kerberos is the backbone of authentication in most enterprise networks. Weaknesses in its configuration — such as weak service account passwords or disabled pre-authentication — give attackers paths to domain-wide compromise. Understanding Kerberos is essential for anyone assessing or defending Active Directory environments.
Need your application tested? Get in touch.