Several readers responded to my previous post on pass-the-hash attacks, asking if Kerberos authentication versus LANManager, NTLM, or NTLMv2 was an effective defense. It's a good question, one that I considered as I was writing last week's post. Reader Christopher Hallenbeck made some especially good arguments for it, and I've reconsidered my original stance on discussing the subject.
Invented at MIT, Kerberos is an open authentication protocol used on a variety of computer systems. Kerberos systems pass cryptographic key-protected authentication "tickets" between participating services. The password hashes are neither sent nor stored, so they can't be captured and reused as easily.
Kerberos is the default authentication protocol implemented in Windows 2000. More recent operating systems use Kerberos to connect to Windows 2000 and to later network Kerberos-protected resources and services. In most of today's Windows networks, Kerberos authentication is widespread. Kerberos has the potential to reduce pass-the-hash risk, but not nearly as much as one would initially think.
For one, pass-the-hash attacks only work against interactive -- right at the computer -- logons. In Windows, password hashes are not sent or stored on the remote server or hosting process in Windows over network connections (with the notable exception of RDP connections), whether using NTLM/NTLMv2 or Kerberos. The attacker can only capture password hashes that are stored on the local computer in the SAM or Active Directory database or from users logged on interactively. The idea that the attacker will gain elevated access to a server computer and capture the passwords of every user connected over the network isn't realistic. In most cases, Kerberos doesn't offer a lot of protection over NTLM/NTLMv2.
Second, when a user logs on interactively to a computer that uses Kerberos, his or her NT password hash is stored in the computer's memory and is available to be stolen. This is because all Windows computers must support at least one other authentication protocol, such as LanManager, NTLM, or NTLMv2. Prior to Windows Server 2008, the NT hash was used in what is called the pre-auth part of Kerberos, although AES is utilized in W2K8 and later OS versions.