Skip to main content

Kerberos Authenication Explained.

Imagine you’re planning a huge day at Universal Studios Singapore (USS). To make the park run smoothly and keep everyone safe, they use a super-smart "Secret Ticket" system so you don't have to carry your passport around to every single ride.

The Master Guest List (Active Directory)
Before you even leave your house, your parents go online and register you for the park. They create a profile with your name and a Secret Password. The park’s main computer (the Master Ledger) saves your name and a "scrambled" version of your password. Because USS has many different gates and offices, they "sync" this list to every single computer in the park. This ensures that no matter which entrance you walk toward, the staff there already knows your name and has a copy of your secret handshake.
The Front Gate (The Authentication Service)
When you arrive at the USS entrance, you don't actually tell the staff your password—because if a "bad guy" is standing behind you, they might overhear it. Instead, you use your password to lock a small box with a note inside that says "I’m here!" and hand it to the gatekeeper. The gatekeeper looks up your name on their list, uses their copy of your secret handshake to open the box, and sees your note. Since only you could have locked that box, they know it’s really you. Instead of making you do this for every ride, they slap a high-tech USS Wristband on you. This wristband is special because it’s sealed with a lock that only the park’s staff can open. You can’t open it, and you can't change the name on it.
The Sci-Fi City Kiosk (The Ticket Granting Service)
Now you’re inside the park and you want to ride Transformers. You don't go back to the front gate; you just walk up to a small Ticket Kiosk near the ride. You show them your USS Wristband. The staff at the kiosk uses their special key to unlock the wristband, sees that the Front Gate already verified you, and hands you a specific Transformers Ride Pass. This pass is also inside a sealed envelope, but this one is locked with a key that only the Transformers Ride Operator has. You are basically a messenger carrying a secret note that you can't even read yourself!
The Ride Entrance (The Application Server)
Finally, you reach the front of the line for Transformers. You hand that sealed envelope to the Ride Operator. They use their specific key to open it, see your name inside, and see a "Today's Date" stamp. Because the envelope was sealed by the Kiosk and hasn't expired yet, they know you are allowed to be there. Sometimes, to be extra safe, the operator will give you a secret nod to prove they are a real USS employee and not a "Cylon" in disguise. They open the gate, and you’re on the ride!
Note that your Password was only used once at the very start of the day. For the rest of your time at USS, you just used your wristband and your ride passes. If you lose a ride pass, it’s no big deal because it expires in a few minutes anyway, and the person who finds it can't use it to change your account settings. Everything is kept safe using these "locked envelopes" that move from the Gate, to the Kiosk, and finally to the Ride!

 Let’s deep dive into the technical details.

The entire Kerberos process begins long before a user ever attempts to log in. In a Windows environment, the administrative setup involves creating a User Object within Active Directory, which is physically recorded into the NTDS.DIT database file on the Domain Controller. During this creation, the system takes the user's chosen password and runs it through a one-way hashing algorithm to create a Long-Term Key. This key is the foundational "secret" that both the user’s future workstation and the Domain Controller will share, but it is never actually transmitted across the network. Because Active Directory uses replication, this user object and its associated key are synchronized across all Domain Controllers in the environment, ensuring that any controller can act as the Key Distribution Center (KDC) when the user finally shows up to work.
The Authentication Service (AS) Exchange
When the user finally sits down to log in, the Authentication Service (AS) exchange begins. The user’s computer does not send the password to the Domain Controller; instead, it performs "pre-authentication" by encrypting the current system time using the user's Long-Term Key and sending that encrypted blob to the DC. The DC looks up the user in its database, retrieves the matching key, and attempts to decrypt the timestamp. If the decryption is successful and the time is accurate within a five-minute window, the DC is satisfied that the user is authentic. In response, the DC generates a Logon Session Key for temporary use and a Ticket Granting Ticket (TGT). The TGT is a critical data structure containing the user's identity and group memberships, and it is encrypted using the DC’s own master secret key, known as the krbtgt key. This ensures the user can hold the ticket but cannot modify their own permissions, such as adding themselves to the Domain Admins group, because they do not possess the key required to reseal the ticket.
The Ticket Granting Service (TGS) Exchange
Once the user is authenticated and holds a TGT, they may eventually need to access a specific resource, such as a file share on a separate server. This triggers the Ticket Granting Service (TGS) exchange. The user's computer sends the encrypted TGT back to the Domain Controller along with a request for the specific service. The DC uses its master krbtgt key to open the TGT, verifies the user's current standing, and then creates a Service Ticket specifically for that file server. This Service Ticket is encrypted using the unique secret key of the target server itself. The user receives this encrypted blob and passes it along to the file server during the Application (AP) exchange. Because the file server shares a secret key with the Domain Controller, it can decrypt the ticket locally to see the user's identity and the Session Key provided by the DC.
The Application (AP) Exchange and Mutual Authentication
The final stage occurs when the client presents the Service Ticket to the target resource. Because the file server possesses its own long-term secret key (shared with the DC), it can decrypt the Service Ticket without needing to communicate with the Domain Controller at that moment. Inside the ticket, the server finds the user's identity and a temporary Session Key. To ensure that the server itself is not an impostor, the protocol often employs mutual authentication, where the server encrypts a portion of the client's timestamp using that same Session Key and sends it back. This architecture is considered highly secure because it is entirely stateless for the target server; it simply trusts any ticket it can successfully decrypt with its own key. Security is maintained through short-lived timestamps and session keys which prevent attackers from capturing and replaying old traffic.



Labels:

Popular Posts

RUST error: linker `link.exe` not found

While compiling Rust program in a windows environment, you may encounter the error : linker `link.exe` not found. This is because of the absence of the C++ build tools in your machine. For compiling Rust programs successfully, one of the prerequisites is the installation of the Build Tools for Visual Studio 2019.   Download the Visual Studio 2019 Build tools from the Microsoft website. After the download, while installing the Build tools, make sure that you install the required components (highlighted in Yellow) This will download around 1.2GB of required files. Once everything is successfully installed, reboot and re-run your rust program and it will compile successfully.   Read More on RUST Hello World Rust Program : Code explained RUST Cargo Package Manager Explained Data Representation in Rust.
Read more

Download Microsoft Office 2019 offline installer.

When you do malware analysis of documents or office files, it is important to have Microsoft Office installed in your Lab machine. I am using flare VM and it doesn't comes with MS Office. Since Microsoft is promoting Microsoft 365 over the offline version, finding the offline installer is not that easy. Here is the list of genuine Microsoft links to download the office .img files.  Download Microsoft Office 2019 Professional Plus : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/ProPlus2019Retail.img Download Microsoft Office 2019 Professional : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/Professional2019Retail.img Download Microsoft Office 2019 Home and Business : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/HomeBusiness2019Retail.img Download Microsoft Office 2019 Home and Student : https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-U...
Read more

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

For configuring TLS v1.2, the ASA should run software version 9.3(2) or later. In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade. But before that i will show you the config prior to the change. I am running ASA version 9.6.1 Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.     #ssl server-version tlsv1.2 set the client-version to tlsv1.2, if required.     #ssl client-version tlsv1.2 ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.     #ssl cipher tlsv1.2 high we can see the setting of each cipher levels using #show ssl cipher command. Now set the DH group to 24, which is the strongest offered as of now in the AS...
Read more

How to Install Netmiko on Windows?

Netmiko, developed by kirk Byers is an open source python library  based on Paramiko which simplifies SSH management to network devices and is primarily used for network automation tasks. Installing Netmiko in linux is a matter o f one single command but if you need to use Netmiko in your Windows PC, follow this process. 1) Install the latest version of Python. 2) Install Anaconda, which is an opensource distribution platform that you can install in Windows and other OS's (https://www.anaconda.com/download/) 3) From the Anaconda Shell, run “ conda install paramiko ”. 4) From the Anaconda Shell, run “ pip install scp ”. 5) Now Install the Git for Windows. (https://www.git-scm.com/downloads) . Git is required for downloading and cloning all the Netmiko library files from Github. 6) From Git Bash window, Clone Netmiko using the following command git clone https://github.com/ktbyers/netmiko&#8221         7) Onc...
Read more

PrintNightmare (CVE-2021-1675) PoC exploit Walkthrough

I am not an exploit developer but was interested to see how this vulnerability can be exploited. So i tried to replicate the infamous PrintNightmare vulnerability using the following PoCs ( https://github.com/cube0x0/CVE-2021-1675 ) and ( https://github.com/rapid7/metasploit-framework/pull/15385 ) However i had trouble with the new metasploit module (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare) and i couldn't able to exploit the machine successfully. So i tried the second PoC from cube0x0. This one has done the magic. I just followed the guidelines with couple of tweaks. First of all, i installed the impacket (cube0x0 version) which will install the required modules and files. After that i set up a samba share with an anonymous login. This is required for hosting the dll file. I edited the smb.conf with the following settings. [global]     map to guest = Bad User     server role = standalone server     usershare allow guests = yes ...
Read more

Google Cloud : Basic Cloud Shell commands

Google Cloud resources can be managed in multiple ways. It can be done using Cloud Console, SDK or by using Cloud Shell. A few basic Google Cloud shell commands are listed below. 1)    List the active account name gcloud auth list 2)    List the project ID gcloud config list project 3)    Create a new instance using Gcloud shell gcloud compute instances create [INSTANCE_NAME] --machine-type n1-standard-2 --zone [ZONE_NAME] Use gcloud compute machine-types list to view a list of machine types available in particular zone. If the additional parameters, such as a zone is not specified, Google Cloud will use the information from your default project. To view the default project information, use gcloud compute project-info describe 4)    SSH in to the machine gcloud compute ssh [INSTANCE_NAME] --zone [YOUR_ZONE] 5)    RDP a windows server gcloud compute instances get-serial-port-output [INSTANCE_NAME...
Read more

Unable to locate package linux-headers / E: Unable to locate package linux-headers-5.10.0-kali5-amd64

While compiling programs, you may encounter this particular error. E: Unable to locate package linux-headers-5.10.0-kali5-amd64 I encountered this while compiling a C code. To fix this, i first updated my Kali machine (v2020.2a).  sudo apt update -y && apt upgrade -y && apt dist-upgrade   Rebooted. Then installed the headers.   sudo apt install linux-headers-$(uname -r)  
Read more