Kerberos key points

• Primary Port: 88/TCP/UDP (AS-REQ/TGS-REQ).

• Workflow:

• The client does not decrypt the TGT in Kerberos.

• TGT Encrypted by the KDC_ with the KDC's secret key (krbtgt account key in AD).

• TGT Can only be decrypted by the KDC (client never needs to decrypt it).

• TGT Proves to the TGS that the client was previously authenticated by the AS.

• AS-REQ:

• AS-REP:

• TGS-REQ:

• Authenticator Contains a timestamp encrypted with the client-TGS session key (from AS-REP).

• Authenticator Validates the client’s identity freshly for this request.

• Service SPN - Identifies the target service (e.g., HTTP/web01.contoso.com).

• Nonce Random number to match TGS-REQ with TGS-REP (prevents replay attacks).

• TGS-REP:

• AP-REQ:

• Mutual Authentication Flag When set, the service must respond with AP-REP

• AD-Specific Details

  • Event ID 4769 logs successful AP-REQ attempts

  • Service ticket decryption uses:

    • Computer account password hash (for host services)

    • Service account password hash (for dedicated services)

# Kerberos Wireshark Captures: A Windows Login Example

---

References

• ATTL4S "The Italian guy"

• Ahmed Sultan