Authentication Protocols
Kerberos and NTLM are the two protocols AD uses to prove your identity. Kerberos is the modern default; NTLM is the legacy fallback. Both are prime attack targets.
When you type your username and password at work, something has to verify those credentials. Active Directory supports two main ways to do this. Kerberos is the default and preferred method. It works by giving you a special ticket after you log in, and then you use that ticket to access different services without entering your password again. NTLM is the older method that still exists as a backup. With NTLM, your computer has to prove your identity every time it connects to a new service, which is less efficient and less secure. Attackers love to target both protocols because breaking authentication means they can pretend to be anyone.
Kerberos works like an amusement park: you show your ID once at the ticket booth (the KDC) and get a wristband (a TGT). Then at every ride (service), you just flash your wristband and get a ride-specific ticket (a TGS). You never have to show your ID again. NTLM is like a park with no wristbands: at every single ride, you have to prove who you are from scratch by showing your ID and answering a challenge question, which is slower and riskier.
Try It Yourself
Key Takeaways
- Kerberos is the default AD authentication protocol; NTLM is the legacy fallback.
- The KRBTGT account key protects all Kerberos TGTs -- compromising it means total domain compromise.
- Kerberoasting lets any domain user request service tickets and crack them offline.
- NTLM is vulnerable to relay attacks and pass-the-hash.
- Disabling NTLM where possible significantly reduces attack surface.
Authentication is the front door to every resource on the network. The majority of Active Directory attacks -- Golden Ticket, Kerberoasting, Pass-the-Hash -- exploit weaknesses in these two protocols.