Don't count on Kerberos to thwart pass-the-hash attacks

The Kerberos authentication protocol has plenty of benefits but offers little defense against pass-the-hash attacks

Current Job Listings

Several readers responded to my previous post on pass-the-hash attacks, asking if Kerberos authentication versus LANManager, NTLM, or NTLMv2 was an effective defense. It's a good question, one that I considered as I was writing last week's post. Reader Christopher Hallenbeck made some especially good arguments for it, and I've reconsidered my original stance on discussing the subject.

Invented at MIT, Kerberos is an open authentication protocol used on a variety of computer systems. Kerberos systems pass cryptographic key-protected authentication "tickets" between participating services. The password hashes are neither sent nor stored, so they can't be captured and reused as easily.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Kerberos is the default authentication protocol implemented in Windows 2000. More recent operating systems use Kerberos to connect to Windows 2000 and to later network Kerberos-protected resources and services. In most of today's Windows networks, Kerberos authentication is widespread. Kerberos has the potential to reduce pass-the-hash risk, but not nearly as much as one would initially think.

Security iGuide

For one, pass-the-hash attacks only work against interactive -- right at the computer -- logons. In Windows, password hashes are not sent or stored on the remote server or hosting process in Windows over network connections (with the notable exception of RDP connections), whether using NTLM/NTLMv2 or Kerberos. The attacker can only capture password hashes that are stored on the local computer in the SAM or Active Directory database or from users logged on interactively. The idea that the attacker will gain elevated access to a server computer and capture the passwords of every user connected over the network isn't realistic. In most cases, Kerberos doesn't offer a lot of protection over NTLM/NTLMv2.

Second, when a user logs on interactively to a computer that uses Kerberos, his or her NT password hash is stored in the computer's memory and is available to be stolen. This is because all Windows computers must support at least one other authentication protocol, such as LanManager, NTLM, or NTLMv2. Prior to Windows Server 2008, the NT hash was used in what is called the pre-auth part of Kerberos, although AES is utilized in W2K8 and later OS versions.

1 2 3 Page 1
Page 1 of 3
$500 for your thoughts? Take our 2019 Security Priorities survey today!