Skip to content

Kerberos

Summary of Active Directory Communication Protocols

Kerberos

Kerberos is the default authentication protocol for domain accounts in Active Directory since Windows 2000. It is a ticket-based authentication system that does not transmit user passwords over the network. The authentication process involves:

  1. The user encrypts a timestamp with their password and sends it to the Key Distribution Center (KDC).

  2. KDC verifies the request and issues a Ticket Granting Ticket (TGT).

  3. The user presents the TGT to request a Ticket Granting Service (TGS) ticket for a specific service.

  4. The service validates the TGS and grants access.
    Kerberos operates on port 88 (TCP/UDP) and is crucial for secure authentication.

πŸ” Kerberos Authentication Workflow

Kerberos uses a trusted third party called the Key Distribution Center (KDC), which contains:

  • Authentication Server (AS) – Verifies user identity and provides Ticket Granting Ticket (TGT).

  • Ticket Granting Server (TGS) – Issues service-specific tickets. Pasted image 20250411180510.png

🎯 Objective

Allow a user to securely authenticate to a service (e.g., database, file server) without sending passwords over the network.

πŸ“š Step-by-Step Workflow

🧍 Step 1: User Login β†’ Request for TGT (AS-REQ)

  • User types username/password.

  • The client sends a request to the Authentication Server (AS):

    • Contains the username.

    • Encrypted using a key derived from the user's password.

Client β†’ AS: [UserID]

πŸͺͺ Step 2: Authentication Server Responds (AS-REP)

  • AS verifies credentials.

  • If valid, AS sends back:

    • TGT (Ticket Granting Ticket): Encrypted with TGS’s secret key.

    • Session key: Encrypted with the user’s secret key.

AS β†’ Client: [TGT, SessionKey (encrypted)]

πŸ”’ TGT is opaque to the client and used for getting service tickets from the TGS.

πŸ“œ Step 3: Request Service Ticket (TGS-REQ)

  • When user wants to access a service (e.g., RDS, FSx):

    • Client sends TGT + Authenticator to TGS.
Client β†’ TGS: [TGT, Authenticator]

🧠 Authenticator: A structure that proves the user has the session key (timestamp encrypted with session key).

🎟️ Step 4: Ticket Granting Server Responds (TGS-REP)

  • TGS decrypts and validates TGT and Authenticator.

  • If valid:

    • Sends a Service Ticket + new session key for that service.
TGS β†’ Client: [Service Ticket, Service Session Key]

πŸ§‘β€πŸ’» Step 5: Access the Service (AP-REQ)

  • Client sends the Service Ticket + Authenticator to the Service Server (SS).
Client β†’ Service: [Service Ticket, Authenticator]

The service uses its own secret key to decrypt the ticket and validate.

βœ… Step 6: Service Grants Access (AP-REP)

  • If everything checks out, the service responds:

    • Optionally sends an acknowledgment message encrypted with the new session key.

  • User is now authenticated and allowed access to the service.

Service β†’ Client: [Optional confirmation]

🎯 Summary Diagram

[Client] ─── AS-REQ ───> [AS]
           <─ AS-REP ───

[Client] ─── TGS-REQ ──> [TGS]
           <─ TGS-REP ──

[Client] ─── AP-REQ ───> [Service]
           <─ AP-REP ───

πŸ›‘οΈ Key Concepts

Component Description
TGT Used to get service tickets
Service Ticket Grants access to a specific service
Authenticator Proves identity with timestamp
KDC Trusted server that issues tickets
SPN (Service Principal Name) Unique ID for services in the realm

DNS

DNS in Active Directory is used for domain controllers and clients to locate services via service records (SRV). It resolves hostnames to IP addresses and enables automatic updates through Dynamic DNS. AD clients locate domain controllers using UDP/TCP port 53.

LDAP

LDAP (Lightweight Directory Access Protocol) allows directory lookups in AD and is used for authentication. It operates on port 389 (LDAP) and port 636 (LDAPS - secure LDAP). Two authentication types exist:

  • Simple Authentication: Uses username and password.

  • SASL Authentication: Uses Kerberos or other methods for secure authentication.
    LDAP data is sent in plaintext by default, so encryption is recommended.

MSRPC (Microsoft Remote Procedure Call)

MSRPC enables interprocess communication for managing AD services. Key interfaces include:

  • lsarpc: Manages security policies.

  • netlogon: Authenticates users and services.

  • samr: Manages domain accounts (used in reconnaissance attacks).

  • drsuapi: Handles domain replication and can be exploited to dump password hashes.

These protocols work together to enable authentication, directory lookups, and remote management in an Active Directory environment.

**NTLM Authentication

Methodology

NTLM (NT LAN Manager) is an authentication protocol used in Active Directory environments alongside Kerberos and LDAP. It relies on symmetric key cryptography and a challenge-response mechanism to verify user identities. The NTLM protocol has evolved through different versions, including NTLMv1 and NTLMv2, each improving security and resistance to attacks.

Limitations

  • Weak Hashing (LM & NTLMv1): Older LM and NTLMv1 hashes are vulnerable to brute-force attacks using tools like Hashcat.

  • No Mutual Authentication: NTLM does not verify the server's identity, making it susceptible to relay attacks.

  • Pass-the-Hash Attacks: Attackers can reuse NTLM hashes to authenticate without knowing the actual password.

  • Offline Cracking: NTLM hashes can be cracked using GPU-based tools, and NTLMv1 is particularly weak due to its reliance on MD4.

  • Obsolete LM Hashes: LM hashes are insecure and disabled by default since Windows Vista/Server 2008.

Key Takeaways

  • NTLMv2 Improves Security: It introduces HMAC-MD5 for stronger authentication but is still vulnerable to relay attacks.

  • Kerberos is Preferred: It provides better security with mutual authentication and encryption.

  • Cached Credentials (MSCache2): Domain Cached Credentials (DCC) allow offline authentication but are slow to crack.

  • Mitigation Strategies: Organizations should enforce NTLMv2, disable LM hashes, and prefer Kerberos for authentication.

User and Machine Accounts in Active Directory (AD)

User and machine accounts play a vital role in managing access to systems and resources within an IT infrastructure. These accounts can be categorized into local accounts (specific to a single system) and domain accounts (managed centrally within an Active Directory domain). Let’s go step by step to understand how they work and why they matter.

1. User Accounts in Windows Systems

User accounts allow individuals or services (programs) to log in to a computer and access resources. They are crucial for managing access rights and security policies.

1.1 Local vs. Active Directory User Accounts

  • Local Accounts: Exist only on a single computer and are not part of a networked domain.

  • Active Directory (AD) User Accounts: Exist within a domain, allowing users to log into multiple devices with the same credentials.

1.2 How User Accounts Work

When a user logs in:

  1. The system verifies their password.

  2. It creates an access token, which contains:

    • User identity (SID)

    • Group memberships

    • Assigned privileges

  3. Every time the user interacts with a resource, this token is checked for permissions.

1.3 User Groups for Easier Management

Instead of assigning permissions to individual users, administrators group users into security groups. Example:

  • The "Finance" group may have access to financial reports.

  • The "IT Admins" group may have administrative privileges.

Using groups simplifies permission management and enhances security.

2. Managing User Accounts in Active Directory

Active Directory (AD) is a directory service that helps organizations manage users, computers, and other resources. Every user in an AD environment typically has a domain account.

2.1 Types of User Accounts in AD

  1. Standard User Accounts: Used by employees to log in and access resources.

  2. Administrator Accounts: Have higher privileges to manage systems.

  3. Service Accounts: Used by applications or services to perform automated tasks.

  4. Disabled Accounts: Former employee accounts that are deactivated but not deleted.

For example, in a company with 1,000 employees, there might be 1,200 user accounts (including service accounts and test accounts). Many organizations also keep inactive accounts in an OU (Organizational Unit) named "Former Employees" for audit purposes.

2.2 Privilege Management in AD

User accounts in AD can have different privilege levels:

  • Domain User: Basic access to the environment.

  • Power User: More privileges than a standard user but less than an administrator.

  • Enterprise Admin: Full control over the entire domain.

Misconfigurations in these permissions can be exploited by attackers, making user accounts a common target.

3. Local Accounts on Windows Systems

Windows systems come with default local accounts that have different roles.

3.1 Common Local Accounts

Account Type Description
Administrator Has full control over the system. Cannot be deleted but can be disabled or renamed.
Guest Meant for temporary users with limited access. Disabled by default.
SYSTEM (NT AUTHORITY\SYSTEM) Used by the operating system for internal functions. Has the highest privileges.
Network Service Used by Windows services that need to access network resources with lower privileges.
Local Service Similar to Network Service but has minimal privileges and presents anonymous credentials to the network.

3.2 Importance of SYSTEM Account

  • SYSTEM has full control over files, registry, and system configurations.

  • It does not appear in the User Manager and cannot be assigned to groups.

  • If an attacker gains SYSTEM privileges, they have almost complete control over the machine.

4. Domain Users and Domain-Joined Machines

A domain-joined computer is managed by an AD domain controller, whereas a non-domain-joined computer operates independently.

4.1 Differences Between Domain-Joined and Non-Domain-Joined Machines

Feature Domain-Joined Non-Domain-Joined
Authentication Centralized (via AD) Local authentication only
User Profiles Users can log into any domain-joined PC with their credentials Users can only log into the specific PC where their account exists
Policy Management Controlled via Group Policy No central management
Security & Updates Centrally managed Manually configured

4.2 Special AD Account: KRBTGT

  • KRBTGT (Kerberos Ticket Granting Ticket) is a built-in AD account.

  • It is used for Kerberos authentication.

  • If compromised, it allows attackers to create "Golden Tickets", granting themselves unauthorized domain-wide access.

5. User Naming Attributes in Active Directory

AD assigns multiple identifiers to user accounts for security and ease of management.

5.1 Key User Attributes

Attribute Description
UserPrincipalName (UPN) The primary login name (usually the email address).
ObjectGUID A globally unique identifier that never changes, even if the user is deleted.
SAMAccountName A shorter logon name for backward compatibility with older Windows systems.
ObjectSID A unique security identifier used for authentication.
sIDHistory Stores previous SIDs if a user account is moved between domains.

5.2 Example AD User Details

Using PowerShell to fetch user details:

Get-ADUser -Identity htb-student

Output:

DistinguishedName : CN=htb student,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : htb
Name              : htb student
ObjectClass       : user
ObjectGUID        : aa799587-c641-4c23-a2f7-75850b4dd7e3
SamAccountName    : htb-student
SID               : S-1-5-21-3842939050-3880317879-2865463114-1111
UserPrincipalName : htb-student@INLANEFREIGHT.LOCAL

This information helps administrators manage users and security in AD.

6. Security Implications and Attack Vectors

User accounts and machine accounts are prime targets for attackers. Common security risks include:

  1. Weak Passwords: Users often set simple passwords, making brute-force attacks easier.

  2. Overly Permissive Access: Misconfigured user rights can allow unauthorized access.

  3. Shared Credentials: Users sometimes share accounts, leading to security risks.

  4. Kerberos Attacks:

    • Pass-the-Ticket: Using stolen Kerberos tickets to access resources.

    • Golden Ticket Attack: Gaining control of the KRBTGT account to generate fake tickets.

  5. Privilege Escalation:

    • If an attacker gains SYSTEM access on a domain-joined machine, they can query AD for more information and escalate their privileges.

6.1 Best Practices for Security

To reduce risks, organizations should: βœ… Enforce strong password policies.
βœ… Regularly audit user permissions and disable inactive accounts.
βœ… Use Multi-Factor Authentication (MFA).
βœ… Implement least privilege access (grant only necessary permissions).
βœ… Monitor login attempts and unusual activity.

Active Directory Groups Overview

Groups in Active Directory (AD) are used to organize users and assign permissions efficiently. They help manage access control but can also pose security risks if misconfigured. Organizations must audit group memberships regularly to prevent excessive privileges.

Groups vs. Organizational Units (OUs)

  • Groups: Assign permissions to resources.

  • OUs: Group objects for administrative ease and Group Policy management.

Types of Groups

  • Security Groups: Assign permissions and manage access to resources.

  • Distribution Groups: Used for email distribution; cannot assign permissions.

Group Scopes

  1. Domain Local Groups

    • Can contain users from other domains.

    • Used for managing permissions within the domain.

  2. Global Groups

    • Can grant access to resources in another domain.

    • Only contain users from their own domain.

  3. Universal Groups

    • Can manage resources across multiple domains.

    • Stored in the Global Catalog, triggering forest-wide replication.

AD Group Scope Examples

Group Name Scope
Administrators DomainLocal
Domain Admins Global
Enterprise Admins Universal
Domain Computers Global

Changing Group Scope

  • Global β†’ Universal: Only if not part of another Global Group.

  • Domain Local β†’ Universal: Only if it has no Domain Local members.

  • Universal β†’ Global: Only if it has no other Universal members.

  • Universal β†’ Domain Local: No restrictions.

Built-in vs. Custom Groups

  • Built-in Groups: Created by default for administrative tasks.

  • Custom Groups: Created for specific organizational needs.

Nested Group Membership

  • Groups can be members of other groups.

  • Can result in unintended inherited privileges.

  • Tools like BloodHound help visualize nested group privileges.

Key Group Attributes

  • cn: Common name of the group.

  • member: Lists members of the group.

  • groupType: Specifies type and scope.

  • memberOf: Shows groups that contain this group.

  • objectSid: Unique security identifier (SID).

Summary: Active Directory Rights and Privileges

Understanding Rights vs. Privileges

  • Rights: Permissions to access objects like files (assigned to users/groups).

  • Privileges: Permissions to perform actions like running programs, shutting down systems, or resetting passwords.

  • User Rights Assignment: Windows refers to privileges as "rights," but they are actually system-level permissions.

Built-in AD Groups & Their Roles

  • Administrators: Full control over domain/computers.

  • Domain Admins: Full domain-wide administration.

  • Enterprise Admins: Can make forest-wide changes.

  • Backup Operators: Can back up/restore files and access sensitive data.

  • DnsAdmins: Control over DNS configurations.

  • Print Operators: Can install drivers and escalate privileges.

  • Server Operators: Manage domain servers but have no default members.

  • Remote Desktop Users: Can connect via RDP.

  • Schema Admins: Modify the AD schema.

Privilege Escalation Risks

  • Attackers can exploit excessive group memberships or misconfigured privileges to escalate access.

  • Critical Privileges to Monitor:

    • SeRemoteInteractiveLogonRight (RDP access)

    • SeBackupPrivilege (Access to system backups)

    • SeDebugPrivilege (Read process memory, steal credentials)

    • SeImpersonatePrivilege (Impersonate privileged users)

    • SeTakeOwnershipPrivilege (Take control of objects/files)

Assessing User Privileges

  • Use whoami /priv to check assigned privileges.

  • Improper privilege assignments can lead to full domain compromise.

Active Directory Security Overview

Active Directory (AD) is designed for central management and quick information sharing, making it insecure by default. Hardening AD requires additional security measures to balance Confidentiality, Integrity, and Availability (CIA Triad).

Key Hardening Measures

  1. Microsoft LAPS – Randomizes and rotates local admin passwords to prevent lateral movement.

  2. Audit Policy & Logging – Monitors changes, logins, and attacks like password spraying and Kerberos exploits.

  3. Group Policy Security Settings

    • Account Policies – Enforces password rules, account lockouts, and Kerberos settings.

    • Local Policies – Controls admin privileges, driver installation, and removable media usage.

    • Software & Application Restrictions – Limits software execution using AppLocker.

    • Advanced Audit Policies – Logs file access, privilege usage, and security changes.

  4. Update Management (WSUS/SCCM) – Ensures Windows updates and security patches are applied timely.

  5. Group Managed Service Accounts (gMSA) – Auto-generated 120-character passwords for secure services.

  6. Security Groups – Assigns permissions to users and resources instead of managing individually.

  7. Account Separation – Admins use separate accounts for daily tasks and privileged actions.

  8. Password Policies & 2FA – Enforce strong, long passwords and multi-factor authentication (MFA).

  9. Limit Domain Admin Usage – Domain Admins should only log into Domain Controllers to reduce exposure.

  10. Regular Audits

    • Remove stale accounts – Unused accounts are security risks.

    • Review admin permissions – Minimize excessive Domain Admins.

  11. Restrict Local Admin & RDP Access – Avoid unnecessary local admin rights and restrict Remote Desktop (RDP) access.

  12. Use Restricted Groups – Control admin group membership via Group Policy.

  13. Server Role Separation – Keep sensitive roles separate (e.g., avoid installing a web server on a Domain Controller).

Summary of Group Policy in Windows

What is Group Policy?

  • A Windows feature for managing user and computer settings in Active Directory (AD).

  • Used for security, configuration, and automation.

  • Essential for a defense-in-depth strategy in enterprise security.

Group Policy Objects (GPOs)

  • Virtual collections of settings applied to users or computers.

  • Examples of use:

    • Enforcing password policies.

    • Disabling USB ports.

    • Restricting app access.

    • Deploying software across a domain.

    • Running scripts on login/logout.

Order of Precedence in GPOs

  1. Local Group Policy – Applied at the host level.

  2. Site Policy – Applied to enterprise locations.

  3. Domain-wide Policy – Applied to all users and computers.

  4. Organizational Unit (OU) Policy – Role-specific settings.

  5. Nested OU Policies – More specific configurations for sub-groups.

  6. GPOs are processed top-down: Local β†’ Site β†’ Domain β†’ OU.

  7. Last applied GPO takes precedence.

  8. Computer settings override user settings.

Enforced & Blocked Inheritance

  • Enforced GPO: Prevents lower-level OUs from overriding settings.

  • Blocked Inheritance: Prevents higher-level GPOs from affecting an OU.

  • Default Domain Policy always has the highest priority.

Group Policy Refresh

  • Default: Every 90 minutes (with Β±30 min random offset).

  • Domain controllers refresh every 5 minutes.

  • Can be manually updated using gpupdate /force.

Security Risks

  • Attackers can abuse GPOs for privilege escalation, lateral movement, and persistence.

  • Misconfigurations can expose security vulnerabilities.