According to myth, Kerberos (you might know him as Cerberus) guards the Gates to the Underworld. He’s a big 3 headed dog with a snake for a tail and a really bad temper.
In the modern world, MIT Computer Scientists used the name and visual of Kerberos for their computer network authentication protocol. Kerberos uses symmetric key cryptography and requires trusted third-party authorization to verify user identities. Since Kerberos requires 3 entities to authenticate and has an excellent track record of making computing safer, the name really does fit.
Get the Free Pen Testing Active Directory Environments EBook
What is Kerberos?
Kerberos authentication is currently the default authorization technology used by Microsoft Windows, and implementations of Kerberos exist in Apple OS, FreeBSD, UNIX, and Linux.
Microsoft introduced their version of Kerberos in Windows2000. It has also become a standard for websites and Single-Sign-On implementations across platforms. The Kerberos Consortium maintains Kerberos as an open-source project.
Kerberos is a vast improvement on previous authorization technologies. The strong cryptography and third-party ticket authorization make it much more difficult for cybercriminals to infiltrate your network. It is not totally without flaws, and in order to defend against those flaws, you need to first understand them.
Kerberos has made the internet and its denizens more secure, and enables users to do more work on the Internet and in the office without compromising safety.
What is the difference between Kerberos and NTLM?
Before Kerberos, Microsoft used an authentication technology called NTLM. NTLM stands for NT Lan Manager and is a challenge-response authentication protocol. The target computer or domain controller challenge and check the password, and store password hashes for continued use.
The biggest difference between the two systems is the third-party verification and stronger encryption capability in Kerberos. This extra step in the process provides a significant additional layer of security over NTLM.
NTLM systems can get hacked in a matter of hours these days: it’s simply older technology, and you shouldn’t rely upon NTLM to protect sensitive data.
How do you authenticate with Kerberos?
Here are the most basic steps taken to authenticate in a Kerberized environment.
- Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
- The KDC verifies the credentials and sends back an encrypted TGT and session key
- The TGT is encrypted using the Ticket Granting Service (TGS) secret key
- The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user)
If the Client is requesting access to a service or other resource on the network, this is the process:
- The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
- The KDC verifies the TGT of the user and that the user has access to the service
- TGS sends a valid session key for the service to the client
- Client forwards the session key to the service to prove the user has access, and the service grants access.
Can Kerberos Be Hacked?
Yes. Because it is one of the most widely used authentication protocols, hackers have developed several ways to crack into Kerberos. Most of these hacks take advantage of a vulnerability, weak passwords, or malware – sometimes a combination of all three. Some of the more successful methods of hacking Kerberos include:
- Pass-the-ticket: the process of forging a session key and presenting that forgery to the resource as credentials
- Golden Ticket: A ticket that grants a user domain admin access
- Silver Ticket: A forged ticket that grants access to a service
- Credential stuffing/ Brute force: automated continued attempts to guess a password
- Encryption downgrade with Skeleton Key Malware: A malware that can bypass Kerberos, but the attack must have Admin access
- DCShadow attack: a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration
Is Kerberos Obsolete?
Kerberos is far from obsolete and has proven itself an adequate security-access control protocol, despite attackers’ ability to crack it. The primary advantage of Kerberos is the ability to use strong encryption algorithms to protect passwords and authentication tickets. With today’s computers, any brute force attack of the AES encryption protocol used by the current version of Kerberos will take approximately longer than this solar system has left to survive. Suffice to say: Kerberos is going to be around for a while in one form or another.
What is going to replace Kerberos?
There are no real contenders to replace Kerberos in the pipeline. Most of the advancements in security are to protect your password or provide a different method of validating who you are to Kerberos. Kerberos is still the back-end technology. Kerberos excels at Single-Sign-On (SSO), which makes it much more usable in a modern internet based and connected workplace. With SSO you prove your identity once to Kerberos, and then Kerberos passes your TGT to other services or machines as proof of your identity.
The weakest link in the Kerberos chain is the password. Passwords can be brute-force cracked or stolen by phishing attacks. For this reason, Multi-Factor Authentication (MFA) is becoming more popular to protect online identities. With MFA, you need the password and something else – a randomized token, mobile phone, email, thumbprint, retina scan, facial recognition, etc. – to prove that you are in fact who you are telling Kerberos you are.
How does Varonis monitor Kerberos?
Varonis monitors Active Directory domains for Kerberos attacks, privilege escalations, brute force attacks, and more. Our security analytics combines user events, security events, and perimeter telemetry – to detect and alert on potential attacks and security vulnerabilities.
Sample Varonis threat models that help detect Kerberos attacks include:
- Potential pass-the-ticket attack: access to a resource was requested without proper authentication, bypassing the Kerberos protocol.
- Failed privilege escalation detected via vulnerability in Kerberos: an attacker tried to elevate their privileges via Kerberos vulnerability.
- Potential brute-force attack targeting a specific account: an unusual amount of authentication failures from a single IP address by a single user has occurred.
- Security certificate activity by non-administrators: Activity was detected on certification files by a user who is not an administrator – potentially indicating an attacker trying to steal signatures.
- …and that’s just the beginning!