Logan Lembke //
Kerberos authentication can be daunting but is an important protocol to understand for any IT professional, and especially important in the field of information security.
While you may not hear about Kerberos often, you probably have heard about its largest implementation: Windows Active Directory. Since Windows 2000, Kerberos has been the default network authentication protocol for users within a domain. In practice, Kerberos allows network authentication to take place without putting the user’s password, or a hash of that password onto the network. In doing so, it protects users against a vast array of snooping attacks that could otherwise capture the user’s credentials.
The three headed dog who guards hell,
there’s a reason they chose the scariest mascot possible
One source of confusion regarding Kerberos comes from its different implementations. In the 1980’s, MIT invented the Kerberos authentication protocol. By the 1990’s, version 4 of the protocol became an IETF standard, and Microsoft began implementing its own version into Windows 2000. In 2005, version 5 of the MIT protocol replaced the previous IETF standard. As of now, Microsoft Kerberos currently follows version 5 of the IETF standard; however, Microsoft has made some small changes
Kerberos, as designed by MIT is an authentication protocol. However, when Microsoft implemented Kerberos, they chose to add authorization systems to the protocol as well. As you can imagine, these authorization systems have been under constant attack. Primarily, these systems have been used during post-exploitation of a domain controller in order to gain further access to network resources.
While the protocol may seem overwhelming, the core concept is easy enough that schoolchildren could take advantage of it. In fact, they do.
Your first crush
Imagine you’re out at recess and you see your crush and their best friend. You would really like to ask your crush to go get some ice cream with you, but you can’t work up the nerve to ask. Thankfully, you’ve talked to their friend before, so you wait for them to split up momentarily. That way you can talk to your mutual friend alone. Right as you begin talking to them, the bell rings and you’re forced to go inside. Drats! Your friend tells you that they’ll send you a note during class so you can finish your conversation.
Once class starts, you receive a note from your crush’s mutual friend asking you what you wanted to talk about.
Childhood Notes: More Secrets Passed than Symmetric Key Encryption
You tell them it’s about your crush and that you would like them to ask your crush out for you. Rather than ask your crush for you directly, your friend comes up with a clever idea. Your friend says that they wrote a convincing letter to your crush but that you’ll have to deliver the note yourself. Theres one other catch: you can’t read the note. Your friend tells you that they’ll ruin the whole thing on purpose if you look. You hesitate, but in the end you go along with the plan. You figure it’ll work since your crush generally trusts your mutual friend.
While you still need to talk to your crush, you can now casually leave the note on their desk without bringing up the topic. Better than nothing, you think.
After you leave the note on their desk, you go outside and wait for their response. Suddenly, your crush comes through the door asking you about your favorite kind of ice cream. The note worked! It seems your friend successfully helped you connect!
- You began talking with your friend in the open.
- Your friend gave you a note so you could continue to talk with them.
- You asked your friend to ask your crush out for you.
- Rather than ask them out for you directly, they wrote a note for you.
- You left the note for your crush.
- Your crush trusted the opinion of your mutual friend and began to read the note.
- Your crush thought about getting ice cream with you.
- Your crush decided to get ice cream with you!
On the surface, Kerberos works exactly like these love stricken schoolchildren. In this scenario, you are the user, the domain controller is your friend, and the desired service is your crush.
- A user asks the local domain controller to talk in the open.
- The domain controller gives the user a key so the user can continue to talk to it.
- The user asks the domain controller for access to a service.
- The domain controller creates a note for the user to give to the service.
- The user gives the service the domain controller’s note.
- The service trusts the contents of the note from the domain controller.
- The service matches the user’s information against the domain controller’s note.
- The service authenticates the user!
While this explanation is fine for a cursory overview of the subject, further explanation is needed for a deep understanding of the topic. After searching the internet for a few hours, watching videos, and reading papers, I have found a few resources which I highly recommend.
If you want to put your nose to the grindstone, Microsoft has laid out its version of Kerberos in a 2009 TechNet article. The article is one or two steps removed from the RFC’s which specify the protocol, but it does a fine job explaining where Microsoft has altered the protocol in order to speed up operations or to provide authorization facilities. Additionally, it provides a step-by-step explanation of the authentication process.
SANS continues to impress with their explanation of Microsoft Kerberos. Hands down, SANS presents the best functional explanation of Microsoft’s implementation of the Kerberos protocol with a specific slant towards security professionals. Beyond explaining the authentication process, the article also touches on the exploits currently available for Microsoft’s Kerberos implementation (Overpass the Hash, Golden Tickets, Silver Tickets, and MITM attacks).
Duckwall and Delpy provide an in depth look at the vulnerabilities involved with Microsoft Kerberos authentication. Mimikatz, a tool written by Benjamin Delpy for the post-exploitation of a domain controller using Kerberos, is demoed throughout the presentation. While this is a great presentation, I would recommend reading the SANS article first since the talk shows working demos of almost every exploit mentioned in the SANS post above.
All in all, Kerberos, while overwhelming, can be made simple by taking a step back and viewing it at a higher level. Once you understand the basics of the protocol, a large pool of knowledge will become available to you as an information technology professional. With knowledge of Kerberos, system admins can begin securing their networks, and security professionals can begin learning about the vulnerabilities inherent in the protocol.