Mimikatz Missing Manual

Appearance

Chapter 24: Kerberos Overview

Introduction

If you’re working in a Windows environment, Kerberos is the air you breathe. It’s the primary authentication protocol for Active Directory, and it’s what replaced the old NTLM protocol for almost everything. Named after the three-headed dog from Greek mythology that guards the underworld, Kerberos provides mutual authentication between clients and servers through a trusted third party—the Key Distribution Center (KDC)—ensuring that both parties can verify each other's identity before exchanging sensitive data.

I’ve always found Kerberos to be one of the most elegant, yet complex, parts of Windows security. Instead of sending passwords across the wire, it uses a system of digital "tickets." You prove who you are once to get a master ticket, and then you use that ticket to request access to specific services. It’s a great system for Single Sign-On (SSO), but as we’ll see throughout this section of the book, it’s only as secure as the cryptographic keys that protect those tickets.

The security of Kerberos depends on several critical assumptions:

  • The KDC (domain controller) is trusted and secure
  • Cryptographic keys (derived from passwords) remain confidential
  • Client systems are not compromised
  • Network time synchronization is maintained (typically ±5 minutes)
  • The network infrastructure cannot be fully trusted (Kerberos encrypts authentication data)

When any of these assumptions fail, sophisticated attacks become possible. Mimikatz exploits these failure scenarios through techniques like Golden Ticket (forging TGTs when krbtgt hash is compromised), Silver Ticket (forging TGS when service account hashes are compromised), Pass-The-Ticket (reusing stolen tickets), and Kerberoasting (cracking service account passwords from TGS tickets).

This chapter provides a comprehensive foundation in Kerberos protocol mechanics, Microsoft's implementation details, ticket structures, pre-authentication mechanisms, and the cryptographic primitives that underpin both the protocol's security and its vulnerabilities. Understanding these fundamentals is essential for both offensive operations using Mimikatz and defensive monitoring to detect Kerberos-based attacks.

Kerberos Protocol Fundamentals

What is Kerberos?

Kerberos is an authentication protocol designed for trusted hosts operating on untrusted networks. It enables mutual authentication between clients and services through a centralized authentication server (the Key Distribution Center), ensuring that:

  1. Clients can verify they're connecting to legitimate services (server authentication)
  2. Services can verify the identity of connecting clients (client authentication)
  3. Credentials are not transmitted in plaintext (encryption)
  4. Authentication decisions can be made without constant access to the KDC (ticket caching)

Key Principle: We do not authenticate to computers—we authenticate to SERVICES running on computers. Kerberos authenticates us for a specific service, identified by a Service Principal Name (SPN) such as HTTP/webserver.corp.local or CIFS/fileserver.corp.local.

Important Limitation: Kerberos provides no guarantees if the client computers or servers are compromised. An attacker with administrative access to a client can extract tickets from memory, modify authentication processes, or forge tickets if they obtain the necessary cryptographic keys. This is the foundation for most Mimikatz Kerberos attacks.

Protocol Data Structures

Kerberos uses ASN.1 (Abstract Syntax Notation One) data structures encoded with DER (Distinguished Encoding Rules). This standardized binary format ensures interoperability between different Kerberos implementations but also creates parsing complexity that can introduce vulnerabilities.

Common ASN.1 Structures in Kerberos:

  • KRB-AS-REQ: Authentication Service Request (request for TGT)
  • KRB-AS-REP: Authentication Service Reply (TGT delivery)
  • KRB-TGS-REQ: Ticket Granting Service Request (request for service ticket)
  • KRB-TGS-REP: Ticket Granting Service Reply (service ticket delivery)
  • KRB-AP-REQ: Application Request (present service ticket to application server)
  • KRB-AP-REP: Application Reply (optional mutual authentication response)
  • KRB-ERROR: Error message with status codes

Each message contains multiple nested structures encoding timestamps, principal names, encryption types, flags, and encrypted ticket data.

Kerberos Versions and Windows Implementation

Kerberos v4 (Historical):

  • Developed in the 1980s at MIT
  • Did not require pre-authentication
  • Clients could request TGTs without proving knowledge of password
  • Vulnerable to offline password guessing attacks
  • No longer supported by Windows

Kerberos v5 (Current):

  • Defined in RFC 4120 (2005), updates RFC 1510 (1993)
  • Requires pre-authentication by default (configurable per-account)
  • Supports multiple encryption algorithms
  • Extensible for custom authentication data
  • Windows implementation since Windows 2000

Microsoft Extensions:

  • PAC (Privilege Attribute Certificate): Contains user's SID, group memberships, privileges
  • S4U Extensions: Service for User (constrained delegation, protocol transition)
  • FAST (Flexible Authentication Secure Tunneling): Protected channel for pre-authentication
  • Claims and Compound Authentication: Dynamic Access Control integration
  • PKINIT: Public key initial authentication using certificates

These extensions enable advanced features but also introduce attack surfaces that Mimikatz exploits.

Pre-Authentication

Purpose and Security Rationale

Pre-authentication prevents attackers from obtaining encrypted TGT data that they could attempt to crack offline to recover user passwords. Without pre-authentication, an attacker can:

  1. Send AS-REQ for any username
  2. Receive AS-REP containing TGT encrypted with user's password hash
  3. Attempt offline brute-force/dictionary attacks against encrypted TGT to recover password

With pre-authentication enabled (the default), the client must prove knowledge of the password before the KDC issues a TGT.

Pre-Authentication Process

Step 1: Initial AS-REQ (No Pre-Auth)

Windows clients typically send an initial AS-REQ without pre-authentication data:

Client → KDC: AS-REQ
  - cname (Client Name): alice@CORP.LOCAL
  - sname (Service Name): krbtgt/CORP.LOCAL
  - etype (Encryption Types): AES256, AES128, RC4
  - till (Valid Until): 2024-12-01 00:00:00
  - nonce: Random 32-bit value
  - No padata (pre-authentication data)

Step 2: KDC Rejects with KRB5KDC_ERR_PREAUTH_REQUIRED

The KDC checks the user account's userAccountControl attribute for DONT_REQUIRE_PREAUTH flag (0x400000). If not set (default), KDC responds:

KDC → Client: KRB-ERROR
  - error-code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
  - e-data:

    - padata-type: PA-ETYPE-INFO2
    - salt: CORP.LOCALalice
    - etype: AES256-CTS-HMAC-SHA1-96

This response tells the client:

  • Pre-authentication is required
  • The salt value for key derivation
  • Supported encryption types

Step 3: Pre-Authenticated AS-REQ

Client now sends AS-REQ with encrypted timestamp:

Client → KDC: AS-REQ
  - cname: alice@CORP.LOCAL
  - sname: krbtgt/CORP.LOCAL
  - etype: AES256, AES128, RC4
  - padata:

    - padata-type: PA-ENC-TIMESTAMP (2)
    - padata-value: Encrypted(Timestamp, User_Password_Hash)

Timestamp Encryption:

Salt = "CORP.LOCALalice"
Key = PBKDF2-HMAC-SHA1(Password, Salt, 4096 iterations, 32 bytes)  # For AES256
Encrypted_Timestamp = AES256-CTS-HMAC-SHA1-96-Encrypt(Current_Timestamp, Key)

Step 4: KDC Validates Pre-Authentication

The KDC:

  1. Retrieves user's password hash from Active Directory (NTDS.dit)
  2. Derives the same encryption key using stored hash and salt
  3. Attempts to decrypt the timestamp in padata
  4. Verifies timestamp is within acceptable time skew (default ±5 minutes)
  5. If valid, proceeds to issue TGT

AS-REP (TGT Response)

If pre-authentication succeeds, KDC responds with AS-REP:

KDC → Client: AS-REP
  - cname: alice@CORP.LOCAL
  - ticket: [Encrypted TGT - see structure below]
  - enc-part: Encrypted with user's key
    - key: Session key for TGT
    - nonce: Matches AS-REQ nonce
    - authtime: Authentication timestamp
    - starttime: When ticket becomes valid
    - endtime: When ticket expires (default 10 hours)
    - renew-till: Maximum renewal time (default 7 days)

The client decrypts enc-part using the user's password-derived key, extracts the session key, and can now use the TGT to request service tickets.

ASREPRoasting Attack

Accounts with DONT_REQUIRE_PREAUTH flag set are vulnerable to ASREPRoasting:

  1. Attacker sends AS-REQ for account without pre-auth
  2. KDC immediately returns AS-REP with TGT encrypted with user's password hash
  3. Attacker extracts encrypted TGT and performs offline password cracking

Identifying Vulnerable Accounts:

powershell
Get-ADUser -Filter {DoNotRequirePreAuth -eq $True} -Properties DoNotRequirePreAuth

Mimikatz (can request AS-REP without pre-auth):

# Using Kekeo (part of Mimikatz suite)
kekeo # tgt::ask /user:vulnerable_user /domain:corp.local /NTLM

Defense: Remove DONT_REQUIRE_PREAUTH flag from all accounts unless absolutely necessary for specific legacy applications.

Ticket Granting Ticket (TGT) Request Flow

AS-REQ: Authentication Service Request

The AS-REQ message requests a TGT from the KDC. Key fields:

Message Type: KRB_AS_REQ (10)

Principal Names:

  • cname (Client Name): User's principal name (e.g., alice@CORP.LOCAL)
  • sname (Service Name): krbtgt/DOMAIN (e.g., krbtgt/CORP.LOCAL)

The krbtgt service is special—it represents the KDC's Ticket Granting Service and is the only service that can decrypt and validate TGTs.

Encryption Types:

  • 18 (AES256-CTS-HMAC-SHA1-96) - Default in Windows Server 2008+
  • 17 (AES128-CTS-HMAC-SHA1-96)
  • 23 (RC4-HMAC) - Legacy, still widely supported

The client lists encryption types in order of preference. The KDC selects the strongest mutually supported type.

Time Fields:

  • from: Optional start time (usually not set)
  • till: Requested expiration (e.g., 10 hours from now)
  • rtime: Requested renewal time (e.g., 7 days from now)
  • nonce: Random 32-bit value to prevent replay attacks

Flags (kdcoptions):

  • forwardable (0x40000000): Ticket can be forwarded to other services
  • proxiable (0x08000000): Ticket can be proxied
  • renewable (0x00800000): Ticket can be renewed before expiration
  • canonicalize (0x00010000): Request principal name canonicalization

Pre-Authentication Data (padata):

  • padata-type: PA-ENC-TIMESTAMP (2)
  • padata-value: EncryptedData
  • etype: Encryption type used
  • kvno: Key version number (optional)
  • cipher: Encrypted timestamp

AS-REP: Authentication Service Reply

The KDC responds with AS-REP containing the TGT. Key fields:

Message Type: KRB_AS_REP (11)

Ticket Structure (Encrypted with krbtgt hash):

  • tkt-vno: 5 (Kerberos version 5)
  • realm: CORP.LOCAL
  • sname: krbtgt/CORP.LOCAL
  • enc-part: EncryptedData (encrypted with krbtgt key)
  • flags: Ticket flags
  • key: Session key (random AES/RC4 key)
  • crealm: Client's realm
  • cname: Client's name
  • transited: Transited policy data
  • authtime: Initial authentication time
  • starttime: When ticket becomes valid
  • endtime: When ticket expires
  • renew-till: Maximum renewal time
  • caddr: Client addresses (usually empty in Windows)
  • authorization-data: Contains PAC

Encrypted Part (Encrypted with user's password hash):

  • key: Session key (same as in ticket)
  • last-req: Last request times
  • nonce: Matches AS-REQ nonce
  • key-expiration: When password expires
  • flags: Same as ticket flags
  • authtime: Authentication timestamp
  • starttime: Ticket valid-from time
  • endtime: Ticket expiration
  • renew-till: Renewal deadline
  • srealm: KDC's realm
  • sname: krbtgt/CORP.LOCAL

Critical Security Point: The ticket itself is encrypted with the krbtgt account's password hash. Only domain controllers can decrypt TGTs. This is why compromising the krbtgt hash enables Golden Ticket attacks—an attacker can forge entirely custom TGTs that domain controllers will trust.

TGT Validation by KDC

When a client presents a TGT to request a service ticket (TGS-REQ), the KDC:

  1. Decrypts TGT using krbtgt password hash
  2. Validates ticket expiration (authtime, starttime, endtime)
  3. Verifies PAC signature using domain controller's key
  4. Checks PAC checksum using KDC key
  5. Confirms client identity matches cname in ticket
  6. Validates flags (renewable, forwardable, etc.)

If validation succeeds, the KDC issues a TGS ticket for the requested service.

Ticket Granting Service (TGS) Request Flow

TGS-REQ: Request for Service Ticket

Once a client has a TGT, they request service tickets (TGS) for specific resources.

Message Type: KRB_TGS_REQ (12)

Key Components:

Authenticator (Encrypted with TGT session key):

  • authenticator-vno: 5
  • crealm: CORP.LOCAL
  • cname: alice@CORP.LOCAL
  • cksum: Checksum of request
  • cusec: Microseconds of timestamp
  • ctime: Current timestamp
  • subkey: Optional session subkey
  • seq-number: Sequence number for ordering

Service Request:

  • sname (Service Principal Name): Examples:

  • CIFS/fileserver.corp.local (File share access)

  • HTTP/webserver.corp.local (Web authentication)

  • LDAP/dc01.corp.local (LDAP queries)

  • MSSQLSvc/sqlserver.corp.local:1433 (SQL Server)

Included Ticket:

ticket: The TGT from AS-REP (encrypted with krbtgt hash)

Additional Ticket (for S4U/Constrained Delegation):

additional-tickets: Optional, used for constrained delegation scenarios

Flags:

  • forwardable: Request forwardable TGS
  • forwarded: This is a forwarded ticket request
  • renewable: Request renewable TGS
  • canonicalize: Canonicalize service name

TGS-REP: Service Ticket Reply

The KDC responds with a service ticket (TGS) encrypted with the target service's password hash.

Message Type: KRB_TGS_REP (13)

Service Ticket Structure (Encrypted with service account hash):

  • tkt-vno: 5
  • realm: CORP.LOCAL
  • sname: CIFS/fileserver.corp.local
  • enc-part: EncryptedData (encrypted with service account's key)
  • flags: Ticket flags
  • key: Service session key
  • crealm: CORP.LOCAL
  • cname: alice@CORP.LOCAL
  • transited: Transited policy
  • authtime: Original authentication time (from TGT)
  • starttime: Ticket valid-from
  • endtime: Ticket expiration
  • renew-till: Renewal deadline
  • caddr: Client addresses
  • authorization-data: PAC with user's group memberships

Encrypted Part for Client (Encrypted with TGT session key):

  • key: Service session key (client uses for AP-REQ)
  • last-req: Last request times
  • nonce: Matches TGS-REQ nonce
  • flags: Ticket flags
  • authtime: Original auth time
  • starttime: Valid-from time
  • endtime: Expiration time
  • renew-till: Renewal deadline
  • srealm: CORP.LOCAL
  • sname: CIFS/fileserver.corp.local

Critical Security Point: The service ticket is encrypted with the target service's password hash. If an attacker obtains this hash (from LSASS memory, DCSync, or Kerberoasting), they can:

  1. Decrypt service tickets to extract PAC data
  2. Forge Silver Tickets that impersonate any user to that specific service
  3. Crack the password hash offline (Kerberoasting)

Application Request (AP-REQ) and Service Authentication

AP-REQ: Presenting the Service Ticket

When the client connects to the actual service, they present the TGS ticket.

Message Type: KRB_AP_REQ (14)

Structure:

  • pvno: 5 (Protocol version)
  • msg-type: KRB_AP_REQ (14)
  • ap-options: Flags (mutual-required, use-session-key)
  • ticket: Service ticket from TGS-REP
  • authenticator: EncryptedData (encrypted with service session key)
  • authenticator-vno: 5
  • crealm: CORP.LOCAL
  • cname: alice@CORP.LOCAL
  • cksum: Checksum of request
  • cusec: Microseconds of timestamp
  • ctime: Timestamp
  • subkey: Optional subkey for encryption
  • seq-number: Sequence number

The service:

  1. Decrypts the ticket using its own password hash (from LSASS memory)
  2. Extracts the service session key from the decrypted ticket
  3. Decrypts the authenticator using the service session key
  4. Validates the timestamp in authenticator (within time skew)
  5. Extracts the PAC from authorization-data in ticket
  6. Makes authorization decision based on PAC group memberships

Critical Point: Unless PAC validation is explicitly required by the service (rare), the service accepts all data in the TGS ticket without contacting the domain controller. This is why Silver Ticket attacks work—a forged TGS with valid encryption will be trusted by the service.

AP-REP: Optional Mutual Authentication

If mutual-required flag is set in AP-REQ, the service responds:

Message Type: KRB_AP_REP (15)

AP-REP Structure:

  • pvno: 5
  • msg-type: KRB_AP_REP (15)
  • enc-part: EncryptedData (encrypted with service session key)
  • ctime: Client timestamp from authenticator
  • cusec: Client microseconds from authenticator
  • subkey: Optional subkey
  • seq-number: Sequence number

PAC (Privilege Attribute Certificate)

The PAC is a Microsoft extension containing authorization data:

PAC Structure:

  • PAC_LOGON_INFO: User SID, group SIDs, privileges
  • PAC_CREDENTIAL_INFO: Encrypted credentials (optional)
  • PAC_SERVER_CHECKSUM: Signature using service key
  • PAC_PRIVSVR_CHECKSUM: Signature using KDC key
  • PAC_CLIENT_INFO: Client name and authentication time
  • PAC_DELEGATION_INFO: Constrained delegation info
  • PAC_UPN_DNS_INFO: UPN and DNS domain name

PAC Validation:

When a service receives a TGS:

  1. Service can request PAC validation from KDC (rare)
  2. KDC verifies PAC_PRIVSVR_CHECKSUM using its key
  3. KDC confirms PAC integrity and authenticity
  4. Service trusts the authorization data

Most services skip PAC validation for performance, trusting the PAC_SERVER_CHECKSUM signed by the KDC. This is exploitable in Silver Ticket attacks.

PAC Modification Detection:

Event ID 4769: Kerberos Service Ticket Request
  - If PAC validation fails: Event ID 4771 (Kerberos pre-auth failed)
  - Failure Code: 0x1F (Integrity check failed)

Monitoring for PAC validation failures can detect forged Silver Tickets.

Kerberos Encryption Types

Supported Encryption Algorithms

Windows supports these encryption types (etypes):

EtypeAlgorithmKey SizeStatusNotes
1DES-CBC-CRC56-bitDeprecatedDisabled by default since Server 2008 R2
3DES-CBC-MD556-bitDeprecatedDisabled by default
17AES128-CTS-HMAC-SHA1-96128-bitStrongSupported since Server 2008
18AES256-CTS-HMAC-SHA1-96256-bitStrongDefault since Server 2008
19AES128-CTS-HMAC-SHA256-128128-bitStrongestSupported in Server 2022 / Win 11
20AES256-CTS-HMAC-SHA384-192256-bitStrongestSupported in Server 2022 / Win 11
23RC4-HMAC (ARCFOUR-HMAC-MD5)128-bitLegacyUses NT hash directly as key
24RC4-HMAC-EXP40-bitExportWeak export-grade encryption

Default Encryption Type Negotiation:

Windows clients request in order:

  1. AES256-CTS-HMAC-SHA1-96 (etype 18)
  2. AES128-CTS-HMAC-SHA1-96 (etype 17)
  3. RC4-HMAC (etype 23)

The KDC selects the strongest mutually supported type based on account's msDS-SupportedEncryptionTypes attribute.

AES Key Derivation

For AES encryption types, keys are derived using PBKDF2:

Salt = DomainName_Uppercase + Username
Example: "CORP.LOCALalice"

AES256 Key = PBKDF2-HMAC-SHA1(
    password = UTF-8(Password),
    salt = UTF-8(Salt),
    iterations = 4096,
    key_length = 32 bytes
)

AES128 Key = PBKDF2-HMAC-SHA1(
    password = UTF-8(Password),
    salt = UTF-8(Salt),
    iterations = 4096,
    key_length = 16 bytes
)

Security Implications:

  • Each user has unique AES keys (salt includes username)
  • 4096 iterations provide computational work factor against brute-force
  • Keys cannot be reused across accounts even with same password

RC4 Key Derivation (Legacy)

For RC4-HMAC (etype 23):

RC4 Key = NT Hash = MD4(UTF-16LE(Password))

Security Implications:

  • NT hash is used directly as RC4 key
  • No salt (same password = same key across accounts)
  • No key stretching (single MD4 hash)
  • Vulnerable to Pass-The-Hash attacks
  • Enables Skeleton Key attacks (Chapter 22)

Disabling RC4:

Group Policy:
Computer Configuration → Policies → Windows Settings → Security Settings
→ Local Policies → Security Options
→ Network security: Configure encryption types allowed for Kerberos
→ Uncheck RC4_HMAC_MD5

Or via registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
SupportedEncryptionTypes = 0x18 (DWORD)
# 0x18 = AES128 (0x08) + AES256 (0x10)

Downgrade Attacks

Skeleton Key Attack Dependency: Exploits RC4 by patching LSASS to accept universal password for RC4 authentication (Chapter 22).

AS-REP Roasting: Forces downgrade to RC4 in AS-REP, making password cracking easier than AES.

Defense:

  • Disable RC4 entirely
  • Monitor Event ID 4769 for unexpected RC4 usage
  • Alert on encryption downgrade attempts

Kerberos Delegation

Delegation Overview

Delegation allows services to impersonate users when accessing other services. Three types:

1. Unconstrained Delegation:

  • Service receives user's TGT in addition to TGS
  • Service can request tickets to any resource as the user
  • Extremely dangerous if service is compromised
  • Used by default for services running as SYSTEM/LocalService
  • Exploitable to capture admin TGTs (printer bug, etc.)

2. Constrained Delegation:

  • Service can only request tickets to specific services
  • Configured via msDS-AllowedToDelegateTo attribute
  • Protocol transition allows service to impersonate without user's TGT
  • Still dangerous if misconfigured

3. Resource-Based Constrained Delegation (RBCD):

  • Resource controls who can delegate to it
  • Configured via msDS-AllowedToActOnBehalfOfOtherIdentity attribute
  • Introduced in Server 2012
  • Can be abused if attacker controls computer object

Unconstrained Delegation Attack

When a user accesses a service with unconstrained delegation:

  1. KDC includes user's TGT in service ticket's authorization-data
  2. Service extracts and caches user's TGT
  3. Attacker with admin on service can steal cached TGTs

Mimikatz Exploitation:

mimikatz # sekurlsa::tickets /export
# If domain admin accessed the server, their TGT is now compromised

Defense:

  • Never use unconstrained delegation for user-accessible services
  • Use constrained delegation instead
  • Monitor for sensitive accounts accessing unconstrained delegation servers
  • Protected Users group prevents TGT forwarding

Summary

Kerberos provides the authentication foundation for Active Directory environments through a sophisticated ticket-based system that eliminates the need to transmit passwords across the network. By leveraging a trusted Key Distribution Center, mutual authentication mechanisms, and cryptographic tickets, Kerberos enables single sign-on while maintaining security in distributed environments.

Key Technical Points:

  1. Pre-Authentication: Prevents offline password guessing by requiring clients to prove password knowledge before receiving TGTs, though accounts with DONT_REQUIRE_PREAUTH flag remain vulnerable to ASREPRoasting attacks.

  2. Ticket Structure: TGTs are encrypted with krbtgt hash (enabling Golden Tickets), while service tickets are encrypted with service account hashes (enabling Silver Tickets and Kerberoasting).

  3. Encryption Types: Modern AES encryption (with salt and key stretching) provides stronger security than legacy RC4-HMAC, which uses NT hashes directly and enables Pass-The-Hash and Skeleton Key attacks.

  4. PAC (Privilege Attribute Certificate): Microsoft's extension containing authorization data; rarely validated by services, making Silver Ticket attacks viable.

  5. Delegation Mechanisms: Allow service impersonation but introduce attack vectors when misconfigured, particularly unconstrained delegation which forwards users' TGTs.

  6. Time Sensitivity: All tickets have strict time validity windows, and KDC validation requires synchronized clocks (±5 minutes), though forged tickets can specify arbitrary times.

Operational Considerations:

For offensive practitioners, understanding Kerberos enables:

  • Golden Ticket attacks (when krbtgt hash is compromised)
  • Silver Ticket attacks (when service account hashes are compromised)
  • Pass-The-Ticket (reusing stolen tickets from memory)
  • Kerberoasting (cracking service account passwords from TGS tickets)
  • Over-Pass-The-Hash (using NT hashes to request TGTs)
  • ASREPRoasting (attacking accounts without pre-auth)
  • Delegation abuse (extracting TGTs from unconstrained delegation servers)

For defensive teams, protection requires:

  • Disabling RC4 encryption to eliminate legacy weaknesses
  • Removing DONT_REQUIRE_PREAUTH flags from all accounts
  • Enforcing strong passwords for service accounts (or using gMSA/MSA)
  • Eliminating unconstrained delegation
  • Monitoring Event IDs 4768 (TGT request), 4769 (TGS request), 4771 (pre-auth failed)
  • Detecting encryption downgrade attempts
  • Alerting on PAC validation failures
  • Implementing Protected Users group for high-privilege accounts

Strategic Importance:

Kerberos demonstrates the complexity of implementing secure authentication protocols at enterprise scale. While the protocol itself is well-designed, implementation details (PAC validation frequency, RC4 legacy support, delegation configurations) create attack opportunities. Organizations must understand both the protocol mechanics and Microsoft's specific implementation to properly secure Active Directory.

The reliance on shared secrets (password hashes) for ticket encryption means that credential compromise—whether through memory extraction, network capture, or offline cracking—undermines the entire trust model. This makes credential protection and detection of credential theft the most critical components of Kerberos security.

In the broader context of Active Directory security, Kerberos represents the authentication layer upon which authorization decisions are made. Understanding ticket structures, encryption mechanisms, and delegation models is essential for both exploiting weaknesses (with tools like Mimikatz) and defending against sophisticated adversaries who leverage Kerberos' complexity to maintain persistent, stealthy access to enterprise networks.

Previous Chapter: Chapter 23: Pass-The-Hash

Next Chapter: Chapter 25: Kerberos Tickets

Related Chapters: