NTLM

Kerberos
and
Public Key Cryptography

OZ
NTLM
NTLM - Basics

 Windows New Technology LAN Manager (NTLM) is an authentication security protocol that was created to
protect the integrity and confidentiality of user’s activity

 NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without
requiring them to submit a password.

 NTLM is still used to connect non-Windows devices to AD domains.

NTLM - how does it work

Application
Client DC
Server
Client passes plaintext username to server

Server replies to the client with a challenge

Client sends challenge response to the server

Server sends challenge, response and username to DC

DC compares encrypted challenge and response

Server returns DC response to client

NTLM - Vulnerabilities

 NTLM does not use salting

 Weak hashing algorithm – MD4/MD5

 MFA not supported – relayed on password only (what you know)

NTLM - Pass The Hash

This attack allows an attacker to authenticate to a system by using the hash of a user's
password, rather than the actual password.
NTLM - Recent Pass The Hash Attack

In a number recently reported incidents, a ransomware-as-a-service (RaaS) platform called

Hive leveraged Pass The Hash to advance a coordinated attack that targeted a large number of
Microsoft’s Exchange Server customers, including those in the energy, financial services,
nonprofit and healthcare sectors.
NTLM – Other Attacks

 Brute-Force Attack

 Dictionary Attack

 MITM Attack

 NTLM Relay Attack

NTLM - Mitigations and Security Measures
 Enforce a Password Policy

 Strong Passwords

 Change Frequently (up to 6 months)

 Password Manager

 Implement Access Control Policy

 Separation Of Duties 

 Least Privilege

 Update Software

 Disable Legacy Protocols

 Monitor Domain Logs

Kerberos
Kerberos - Basics

 Kerberos was developed by researchers at the Massachusetts Institute of Technology (MIT)

in the 1980s

 Like NTLM, Kerberos is an authentication protocol. It replaced NTLM as the

default/standard authentication tool on Windows 2000 and later releases.

 Kerberos uses a two-part process that leverages a ticket granting service or key
distribution center
 Kerberos - How does it work

Key Distribution Center

1. Client Logon
Authentication
2. TGT Service (AS)
Client

3. TGT
Ticket Granting
Service (TGS)
4. Client to Serv
e r Ticket
Server Ticket
5. Client to

6. Allow
Access

Server/Resource
Kerberos - Vulnerabilities

 Single point of failure

 Replay attacks
Kerberos - Kerberoasting

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to
obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force and other
password attack
Kerberos - Silver and Golden Ticket

 Golden Ticket attack: A golden ticket is a Kerberos ticket that has been forged to allow the
attacker to impersonate any user on the network. Golden tickets can be used to perform a
variety of attacks, such as accessing sensitive data or taking control of systems

 Silver Ticket attack: A silver ticket is a Kerberos ticket that has been forged to allow the
attacker to impersonate a service on the network. Silver tickets can be used to perform a
variety of attacks, such as bypassing security restrictions or disabling services
Kerberos - Pass The Ticket

A pass-the-ticket attack is an attack that allows an attacker to use a valid Kerberos ticket that
they have obtained from another user to authenticate to a service. Pass-the-ticket attacks can
be used to gain access to resources that the attacker would not otherwise be able to access
Kerberos - Other Attacks

q NTLM Downgrade Attack

Kerberos - Mitigations and Security Measures
Public Key
Cryptography
Public Key Cryptography - Basics

 Public Key Cryptography or Asymmetric Cryptography is a method of encrypting or signing

data with two different keys and making one of the keys, the public key, available for
anyone to use

 The other key is known as the private key is used to decrypt data that was encrypted with
the Public key

 A person cannot guess the private key based on knowing the public key

 Symmetric Cryptography as opposed to Asymmetric relies on a shared key for both

encryption and decryption
Public Key Cryptography - How Does It Work

 Each entity creates a pair of a private key and a public key

 In order to send a message, we need to encrypt it using the other entity’s public key

 It can also be used to confirm a signature signed by someone’s private key

Public Key Cryptography - Key Exchange

 After obtaining the public keys each entity can compute a shared symmetric key offline

 The symmetr
Public Key Cryptography - TLS

 TLS is an encryption and authentication protocol designed to secure Internet

communications

 The TLS handshake contains the following steps:

1. Specify which version of TLS to use

2. Decide on which cipher suites to use

3. Authenticate the identity of the server via the server’s public key and the SSL certificate authority’s
digital signature

4. Generate session keys in order to use symmetric encryption after the handshake is complete
Public Key Cryptography - Certificate Based Authentication

 Certificate-based authentication is the process of establishing your identity using

electronic documents known as digital certificates

 For certificate-based authentication to work properly, the user must have a private key
with information that corresponds to the public key in a certificate
Public Key Cryptography - Certificate Based Authentication
Questions?
Thank You