The Kerberos authentication protocol has plenty of benefits but offers little defense against pass-the-hash attacks.
Several readers responded to my previous post on pass-the-hash attacks
, asking if Kerberos authentication versus LANManager, NTLM, or NTLMv2 was an effective defense. It's a good question, one that I considered as I was writing last week's post. Reader Christopher Hallenbeck made some especially good arguments for it, and I've reconsidered my original stance on discussing the subject.
Invented at MIT, Kerberos
is an open authentication protocol used on a variety of computer systems. Kerberos systems pass cryptographic key-protected authentication "tickets" between participating services. The password hashes are neither sent nor stored, so they can't be captured and reused as easily.
Kerberos is the default authentication protocol implemented in Windows 2000. More recent operating systems use Kerberos to connect to Windows 2000 and to later network Kerberos-protected resources and services. In most of today's Windows networks, Kerberos authentication is widespread. Kerberos has the potential to reduce pass-the-hash risk, but not nearly as much as one would initially think.