Since Windows 2000, Microsoft has used the Kerberos protocol as the default authentication method in Windows, and it is an integral part of the Windows Active Directory (AD) service.
Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network. Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late ’80s, it’s now a default authorization technology in Microsoft Windows and is also implemented in other operating systems like Apple OS, FreeBSD, UNIX, and Linux.
The three heads of the Kerberos protocol represent the following:
- the client or principal;
- the network resource, which is the application server that provides access to the network resource; and
- a key distribution center (KDC), which acts as Kerberos’ trusted third-party authentication service.
Users, systems and services using Kerberos need only trust the KDC. It runs as a single process and provides two services: an authentication service and a ticket granting service (TGS).
It supports a large breadth of function, including single sign-on (SSO) implementations, and serves as the go-to authentication protocol for websites. Kerberos is a widely used service that, like DNS, most users are not even aware they are using.
Kerberos uses symmetric key cryptography and a key distribution center (KDC) to authenticate and verify user identities. A KDC involves three aspects:
- A ticket-granting server (TGS) that connects the user with the service server (SS)
- A Kerberos database that stores the password and identification of all verified users
- An authentication server (AS) that performs the initial authentication
During authentication, Kerberos stores the specific ticket for each session on the end-user’s device. Instead of a password, a Kerberos-aware service looks for this ticket. Kerberos authentication takes place in a Kerberos realm, an environment in which a KDC is authorized to authenticate a service, host, or user.
Kerberos authentication is a multistep process that consists of the following components:
- The client who initiates the need for a service request on the user’s behalf
- The server, which hosts the service that the user needs access to
- The AS, which performs client authentication. If authentication is successful, the client is issued a ticket-granting ticket (TGT) or user authentication token, which is proof that the client has been authenticated.
- The KDC and its three components: the AS, the TGS, and the Kerberos database
- The TGS application that issues service tickets
What is KRBTGT?
KRBTGT is an account used for Microsoft’s implementation of Kerberos, the default Microsoft Windows authentication protocol. Understanding the ins and outs of KRBTGT accounts can mean the difference between having a secure, compliant network and opening up your organization to vulnerabilities that could allow perpetrators to impersonate authentication and wreak havoc in your network. KRBTGT is an automatically created default account used when a Microsoft Active Directory domain is created. Its main purpose is to authenticate Kerberos tickets as the Key Distribution Center (KDC) account.
With KRBTGT, the hash isn’t stored in memory across as many systems, making the theft of a KRBTGT password much more difficult. To have full unfettered access, a user would have to gain access to the KDC on the DC and steal the password to create a Golden Ticket (more on this at a later date).
There is so much more to this service but this should be enough information to get you through an interview…you will need to know some of the attack paths for Kerberos, but we will cover that later.
