Practical Network Scanning
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Authentication NTLM versus Kerberos

NT LAN Manager (NTLM) and Kerberos are both authentication protocols that do not play any role in terms of authorization. NTLM is a proprietary authentication protocol developed by Microsoft, whereas Kerberos is a standard protocol. Starting with Win2K, Microsoft implements Kerberos as the default authentication protocol for the Windows OS. However, if the Kerberos protocol is not negotiated for some reason, then Active Directory (AD) will use LM, NTLM, or NTLM version 2 (NTLMv2).

Kerberos is a cryptographic network protocol that works for authenticating users to resources, which involves a client, server, and a Key Distribution Center (KDC). Kerberos was named after Cerberus, the three-headed dog of Greek mythology, because of its three components. KDC has two components: an Authentication Server and a Ticket Granting Service, as well as the Client and the Print Server that the Client wants to access, as shown in the following diagram: 

Let's try to understand the process step by step:

  1. For network domain authentication, a Client provides a username and a password, which is validated by the Authentication Server, a component of KDC.
  2. The KDC grants a Ticket Getting Ticket (TGT) with a default duration of 10 hours.
  3. When the client attempts to access the Print Server in the domain, the TGT is used to make the request instead of entering credentials again and again. The Client obtains a service ticket from the Ticket Granting Server, a component of KDC.
  4. A service ticket is created for the Client and the Server that the Client wants to access. The service ticket consists of a ticket and a session key. 
  5. The Client presents the service ticket to create a session with the service on the Server. The Server uses its key to decrypt the information from the TGS, and the Client is authenticated to the Server.

The major differences can be seen in the following table:

System admins need to make sure they run Kerberos by default. In any scenarios where you need to turn on NTLM, it should be used with caution, keeping risks in mind. 

上一章目录下一章