Cyber Security Interview Prep. Q8: "Kerberos Authentication"

Category: Security

Question: What is Kerberos? How does it work?

My Answer:

Kerberos is an authentication Protocol used by Windows machines as their default. A machine using Kerberos is almost always going to be using Active Directory, and needs to be able to reach a DC- without which it cannot function. It is more secure than NTLM.

Unlike NTLM, Kerberos uses a ticket system rather than a challenge-based handshake. The process can briefly be described like so:

1) Client sends a request to the Domain Controller (We assume the Authentication Server, Key Distribution Centre and Ticket Granting Service are all housed in this DC).

2) Server responds by providing a TGT (Ticket granting ticket).

3) Client sends the TGT to the server, requesting access to a desired service- by specifying a service's SPN (Service Principal Name).

4) Server's TGS (Ticket granting service) replies with a session key for the desired service.

5) Client can supply the provided session key to use the desired service.

Depending on how deep your technical knowledge is expected to be, explaining the above may be the end of Kerberos, and the interview may move on to other topics. However, you can always offer to discuss Kerberoasting because now that you've laid the groundwork for how Kerberos works, it may be fitting to briefly talk about the interesting way Kerberos can be attacked and credential hashes can be extracted- which may ultimately lead to the compromise of a privileged account. Kerberoasting will be discussed in a future blog post.

For further reading:

Kerberos Authentication Explained (varonis.com)