AD Authentication Mechanisms

intermediate35 minWriteup

NTLM, Kerberos, and how Windows authenticates users

Learning Objectives

  • Understand NTLM authentication
  • Learn Kerberos protocol
  • Identify authentication weaknesses
  • Understand ticket-based authentication

When you type your password at a Windows login screen, a complex dance of cryptographic protocols begins. Understanding this dance - how Windows authenticates users - is key to attacking it. Active Directory uses two main protocols: NTLM and Kerberos.

Think of authentication like getting into an exclusive club. NTLM is like showing your ID at the door each time. Kerberos is like getting a VIP wristband that proves who you are all night.

Why Both Protocols?

NTLM is legacy but still used for fallback and local authentication. Kerberos is preferred in AD environments. Both are attackable in different ways.

NTLM Authentication

NT LAN Manager (NTLM) is the older Windows authentication protocol. It uses a challenge-response mechanism.

NTLM Hash

Windows stores passwords as NTLM hashes (MD4 of UTF-16LE password). No salt, so same password = same hash everywhere.

1Password: Password123
2NTLM Hash: 2b576acbe6bcfda7294d6bd18041307e
3 
4The hash is calculated as:
5MD4(UTF-16LE(password))

NTLM Authentication Flow

11. Client sends username to server
2   Client --> 606070;">#a5d6ff;">"Username: jsmith" --> Server
3 
42. Server sends random challenge (8 bytes)
5   Client <-- 606070;">#a5d6ff;">"Challenge: 0x1234567890ABCDEF" <-- Server
6 
73. Client encrypts challenge with NTLM hash
8   Response = HMAC-MD5(NTLM_Hash, Challenge + ...)
9 
104. Client sends response
11   Client --> 606070;">#a5d6ff;">"Response: 0x..." --> Server
12 
135. Server verifies with DC (or local SAM)
14   Server --> DC: 606070;">#a5d6ff;">"Is this response valid for jsmith?"
15   Server <-- DC: 606070;">#a5d6ff;">"Yes/No"

NTLM Weaknesses

• No mutual authentication (can be relayed) • Hash = password equivalent (Pass-the-Hash) • Challenge-response can be captured and cracked (NTLMv2) • Weak hashing algorithm (no salt)

NTLMv1 vs NTLMv2

  • NTLMv1: Older, very weak, easily cracked offline
  • NTLMv2: Stronger, includes client challenge, but still crackable
bash
1606070;"># Crack NTLMv2 hash (captured via Responder)
2hashcat -m 5600 hash.txt wordlist.txt
3 
4606070;"># NTLM hash (from SAM/NTDS)
5hashcat -m 1000 hash.txt wordlist.txt

Kerberos Authentication

Kerberos is the preferred authentication protocol in AD. It uses tickets instead of passwords, providing single sign-on across the domain.

Key Components

  • KDC (Key Distribution Center): Runs on DC, issues tickets
  • TGT (Ticket Granting Ticket): Proves identity, gets service tickets
  • TGS (Ticket Granting Service): Issues service tickets
  • Service Ticket: Grants access to specific service
  • KRBTGT: Account whose hash encrypts all TGTs

Kerberos Authentication Flow

1Step 1: AS-REQ (Authentication Service Request)
2   Client --> KDC: 606070;">#a5d6ff;">"I'm jsmith, give me a TGT"
3   (Contains timestamp encrypted with user's hash)
4 
5Step 2: AS-REP (Authentication Service Response)
6   Client <-- KDC: 606070;">#a5d6ff;">"Here's your TGT"
7   (TGT encrypted with KRBTGT hash - client can't read)
8 
9Step 3: TGS-REQ (Ticket Granting Service Request)
10   Client --> KDC: 606070;">#a5d6ff;">"I want to access SQL server" + TGT
11   (TGT proves identity)
12 
13Step 4: TGS-REP (Ticket Granting Service Response)
14   Client <-- KDC: 606070;">#a5d6ff;">"Here's your service ticket for SQL"
15   (Service ticket encrypted with SQL server's hash)
16 
17Step 5: AP-REQ (Application Request)
18   Client --> SQL Server: 606070;">#a5d6ff;">"Here's my ticket, let me in"
19   (Server decrypts ticket with its own hash)

Why This Matters for Attacks

• AS-REP Roasting: If pre-auth disabled, anyone can request TGT • Kerberoasting: Any user can request service tickets and crack offline • Golden Ticket: With KRBTGT hash, forge any TGT • Silver Ticket: With service hash, forge tickets for that service

Service Principal Names (SPNs)

SPNs identify service instances. They're how Kerberos knows which service account's hash to use for encrypting tickets.

1SPN Format: service/hostname:port
2Examples:
3├── MSSQLSvc/sql01.corp.local:1433
4├── HTTP/web01.corp.local
5├── CIFS/fileserver.corp.local
6└── HOST/workstation01.corp.local
7 
8606070;"># Accounts with SPNs are Kerberoastable!

Password Storage

Local: SAM Database

1Location: C:\Windows\System32\config\SAM
2Contents: Local user NTLM hashes
3Protection: SYSTEM hive encryption
4Attack: reg save, mimikatz, secretsdump

Domain: NTDS.dit

1Location: C:\Windows\NTDS\NTDS.dit (on DCs)
2Contents: All domain user NTLM hashes, Kerberos keys
3Protection: PEK (Password Encryption Key) from SYSTEM
4Attack: DCSync, Volume Shadow Copy, ntdsutil

Memory: LSASS

1Process: lsass.exe (Local Security Authority)
2Contents: Logged-in users' credentials
3├── NTLM hashes
4├── Kerberos tickets
5├── Plaintext passwords (sometimes!)
6└── SSP credentials
7Attack: Mimikatz sekurlsa::logonpasswords

Authentication Attacks Overview

AttackTargetRequirement
Pass-the-HashNTLMNTLM hash
NTLM RelayNTLMMITM position
KerberoastingKerberosAny domain user
AS-REP RoastingKerberosList of users
Golden TicketKerberosKRBTGT hash
Pass-the-TicketKerberosKerberos ticket

Knowledge Check

Quick Quiz
Question 1 of 3

What is the KRBTGT account used for?

Challenges

Authentication Analysis

Challenge
🔥 intermediate

Capture authentication traffic with Wireshark and identify: which protocol was used (NTLM or Kerberos), the username, and the domain.

Need a hint? (4 available)

Key Takeaways

  • NTLM uses challenge-response; hash = password equivalent
  • Kerberos uses tickets for single sign-on
  • TGT proves identity; service tickets grant access to services
  • KRBTGT hash is the master key for all Kerberos tickets
  • SPNs make accounts vulnerable to Kerberoasting
  • Credentials stored in SAM (local), NTDS.dit (domain), LSASS (memory)