Internal Network & Active Directory · intermediate · ~12 min

Kerberos and NTLM authentication

Explain how AD authenticates and where each protocol is abused.

Overview

AD uses NTLM (challenge-response over password hashes → pass-the-hash, relay) and Kerberos (DC issues TGT then service tickets, encrypted with password-derived keys → Kerberoasting, AS-REP roasting, pass/forge-the-ticket). Attacks abuse that secrets are password-derived, not the crypto itself.

Why it matters

Nearly every marquee AD attack (pass-the-hash, Kerberoasting, AS-REP roasting, Golden Ticket) follows from how NTLM and Kerberos use password-derived secrets. Understanding the flows is what makes those attacks make sense.

Core concepts

NTLM. Hash = credential → pass-the-hash; relay. Kerberos. KDC issues TGT → TGS; tickets keyed by passwords. Kerberoasting. Crack service-ticket encryption offline. AS-REP roasting. No-preauth accounts leak crackable data. Golden Ticket. Forged with krbtgt key.

Lesson

AD authentication uses two protocols, and most AD attacks abuse how they work.

NTLM (legacy, challenge-response)

The client proves it knows the password's hash via a challenge-response — without sending the password. Consequences:

  • Pass-the-Hash: the hash itself is the credential, so a stolen NTLM hash authenticates without cracking it.
  • NTLM relay: an attacker relays a victim's authentication to another service (often over SMB) to act as them.

Kerberos (default, ticket-based)

Instead of sending credentials to each service, the client gets tickets from the DC's Key Distribution Center (KDC):

  1. Authenticate to the KDC → get a TGT (Ticket-Granting Ticket).
  2. Present the TGT → get a service ticket (TGS) for a specific service.
  3. Present the TGS to the service. Tickets are encrypted with key material derived from account passwords — which is the crack in the armour:
  • Kerberoasting: request a TGS for a service account; it's encrypted with that account's password hash → crack offline.
  • AS-REP roasting: accounts with Kerberos pre-auth disabled hand out crackable material without authentication.
  • Pass-the-Ticket / Golden Ticket: stolen or forged tickets grant access (a Golden Ticket forged with the krbtgt key = domain god-mode).

Takeaway

You rarely "break" the crypto — you abuse that password-derived secrets back the tickets/hashes, so weak service-account passwords and exposed hashes/tickets become domain compromise.

Summary

AD authentication via NTLM (hash-based) and Kerberos (ticket-based) is abused not by breaking crypto but because hashes and tickets derive from passwords — enabling pass-the-hash, Kerberoasting, AS-REP roasting, and ticket forgery.