Explain NTLM vs. Kerberos vs. LDAP

  • NTLM (NT LAN Manager): A challenge-response authentication protocol used primarily in Windows environments. It is less secure and susceptible to various attacks but is simple and widely supported.
  • Kerberos: A more secure, ticket-based authentication protocol that uses symmetric key cryptography. It requires a trusted third-party Key Distribution Center (KDC) to provide authentication by issuing tickets to avoid sending passwords over the network. It provides mutual authentication and single sign-on capabilities.
  • LDAP (Lightweight Directory Access Protocol): A directory service protocol used for accessing and maintaining distributed directory information services (like Microsoft Active Directory). It can be integrated with Kerberos to enhance security during authentication processes.

What does NTLM stand for?

NTLM stands for NT LAN Manager. It is a suite of Microsoft security protocols that were originally designed to provide authentication, integrity, and confidentiality to users in a network.

What is NTLM?

NTLM is a protocol used primarily in Microsoft Active Directory environments to authenticate users and other entities in a network environment. It uses a challenge-response mechanism for authentication, which helps maintain confidentiality as the password itself is not sent over the network, but rather a hashed (encrypted) version of the password is sent.

How does NTLM authentication work?

The NTLM authentication process works as follows:

  • Negotiation: A client sends a negotiation message to the server.
  • Challenge: The server responds with a challenge to the client.
  • Authentication: The client replies with an authentication message, which includes a response to the challenge based on a hash of the user’s password.
  • Verification: The server verifies the response against its own calculation. If the response is correct, authentication is successful.

What is NTLM hash?

An NTLM hash is a cryptographic representation of a user’s password created using the MD4 hashing algorithm. This hash is stored and used by the NTLM protocol during the authentication process to verify user credentials without exposing the actual password.

Read also: DFIR Training: Full Guide To Learn Digital Forensics And Incident Response

How to crack NTLM hash?

Cracking an NTLM hash involves:

  • Capturing the NTLM hash, typically through network monitoring or extracting from a compromised system.
  • Using password cracking tools like John the Ripper or Hashcat.
  • Employing techniques such as brute force, dictionary attacks, or rainbow tables to find the plaintext password corresponding to the hash.

How to check NTLM version?

You need to ensure ‘Security Audit’ is enabled and check the Event ID 4624 for details on the used protocol. Below are the detailed steps.

Read also: Top SOC Analyst interview questions and answers in 2024

  1. Enable Security Auditing:
    • On the domain controller, open the Group Policy Management Editor.
    • Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff.
    • Enable Audit Logon.
    • Ensure Success and Failure auditing is turned on.
  2. Check the Event Viewer:
    • After enabling auditing, perform a network logon or wait for a user to log in.
    • Open the Event Viewer and navigate to Windows Logs -> Security.
    • Look for Event ID 4624, which logs successful logons.
    • Within the event details, check the Authentication Package field; it will specify whether NTLM or Kerberos was used. If NTLM was used, the Detailed Authentication Information section will indicate the NTLM version (e.g., NTLMv1, NTLMv2).

How to check if NTLM authentication is enabled?

To determine if NTLM authentication is enabled on a Windows server:

  • Access the Local Security Policy (secpol.msc).
  • Navigate to Local Policies -> Security Options.
  • Check the policies under the “Network security: LAN Manager authentication level” and “Network security: Restrict NTLM” settings.

Is NTLM authentication secure?

NTLM is considered less secure compared to modern authentication protocols like Kerberos. It is vulnerable to relay attacks, brute force attacks, and other exploits. While NTLMv2 provides improvements over the original NTLM, it still lacks the robust security features of Kerberos, such as mutual authentication and built-in protection against replay attacks.

Read also: Blue Team vs. Red Team in Cybersecurity: Roles & Skills

How to disable NTLM authentication in Windows domain? 

Disabling NTLM requires configuring the policy Restrict NTLM: NTLM authentication in this domain. This setting allows you to control the use of NTLM authentication within the domain.

 Follow these steps to find and configure the required policy:

  • Opening the Group Policy Editor.
  • Navigating to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
  • Setting “Network security: Restrict NTLM” to “Deny all” or configuring it to a level that suits the security needs, effectively disabling NTLM where not needed.

What is the Kerberos protocol?

The Kerberos protocol is a secure method for authenticating service requests between trusted hosts over an untrusted network. It uses symmetric key cryptography and a ticket-based system to authenticate users, ensuring user credentials are not transmitted over the network.

What does Kerberos mean?

The name “Kerberos” originates from Greek mythology, where Cerberus is the three-headed dog that guards the gates of the Underworld. This name reflects the protocol’s role in securely guarding network resources.

What is Kerberos authentication?

Kerberos authentication is a secure process that uses tickets issued by a trusted Key Distribution Center (KDC). These tickets verify the user’s identity to various network services without sending passwords over the network, providing a secure and efficient authentication mechanism.

How does Kerberos work?

Kerberos operates through a series of steps:

  • Authentication Service Exchange: The user requests an authentication ticket (TGT) from the Key Distribution Center (KDC), which is part of the Active Directory in the case of a Windows domain.
  • Ticket Granting Service Exchange: The user uses the TGT to request service tickets for specific services from the KDC.
  • Client/Server Authentication Exchange: The service ticket is presented to the service provider to gain access.

When using Kerberos, what is the purpose of a ticket?

In Kerberos, a ticket is used to securely authenticate a user’s or service’s identity to another service. It serves as proof of the identity of the client. The client can use it to request specific service tickets that it can then forward to the corresponding service provider.

How does Kerberos authentication work in Active Directory?

In Active Directory, Kerberos authentication involves:

  • A user logging into a client machine and requesting a TGT from the KDC.
  • The KDC, which is part of the Active Directory, verifies the user’s credentials and issues a TGT.
  • The user then requests service tickets from the KDC using the TGT, which are used to access other network resources.

How to check if NTLM or Kerberos authentication is being used?

You can check for NTLM or Kerberos usage using the Event ID 4624 or using the klist command. Below are the detailed steps.

  • Review Security Logs:
    • Access the Event Viewer and go to Windows Logs -> Security.
    • Look for Event ID 4624 for logon events.
    • The Authentication Package field will indicate whether NTLM or Kerberos was used for authentication.
  • Use Command Line Tools (For real-time checking):
    • On a client machine, use the ‘klist’ command to view Kerberos tickets. If tickets are present, Kerberos is being used.
    • For NTLM, no similar real-time check is available, but the absence of Kerberos tickets (especially when accessing network resources) might indicate NTLM usage.

How to force Kerberos instead of NTLM? 

Forcing Kerberos over NTLM can be achieved by:

  • Ensuring all users, clients, and servers have valid DNS entries and are time-synchronized.
  • Configuring Service Principal Names (SPNs) correctly for all services.
  • Setting the “Network security: LAN Manager authentication level” to “Send NTLMv2 response only. Refuse LM & NTLM” in Group Policy to ensure that NTLM is not used even if Kerberos authentication fails.

What is Kerberos on macOS?

On macOS, Kerberos is integrated into the operating system and used to securely authenticate users to various network services. It is part of the Single Sign-On (SSO) framework, allowing users to access multiple services with one set of credentials.

Does ldap use Kerberos?

LDAP can be configured to use Kerberos for authentication. While LDAP itself is a protocol for accessing and maintaining distributed directory information, integrating Kerberos adds a layer of security by authenticating users who access the directory. LDAP includes an authentication mechanism, but it is not as secure as Kerberos when used alone

Does Azure ad use Kerberos?

Azure AD supports Kerberos authentication, particularly in hybrid environments where on-premises Active Directory is integrated with Azure AD. This setup allows for seamless Kerberos authentication across cloud and on-premises resources.

Does Active Directory use Kerberos?

Yes, Active Directory uses Kerberos as the primary authentication protocol, especially in environments running Windows 2000 and later. It replaces older authentication methods like NTLM, providing a more secure and robust authentication mechanism.

References: 

cybersecurity logo

Cybersecurity

Master Cybersecurity Skills Through Hands-on Realistic Training Labs

Start For Free