Kerberos and NTLM Security Vulnerabilities

Kerberos and NTLM security vulnerabilities encompass the various attack vectors that exploit weaknesses in these core Windows authentication protocols to achieve privilege escalation and lateral movement within a network. While the older NTLM protocol is notoriously susceptible to Pass-the-Hash and relay attacks where credentials can be captured and reused, the more modern and secure Kerberos protocol is also vulnerable to sophisticated exploits. Common Kerberos attacks include Kerberoasting, where an attacker cracks weak service account passwords offline; Pass-the-Ticket, which involves stealing and reusing a user's authentication ticket; and the highly impactful Golden and Silver Ticket attacks, where compromising key domain accounts allows an adversary to forge powerful authentication tickets, granting them persistent and widespread access.

1. Foundations of Windows Authentication
   1. Authentication vs. Authorization Concepts
      1. Definition of Authentication
      2. Definition of Authorization
      3. Relationship Between Authentication and Authorization
      4. Authentication Flow in Windows Environments
   2. Active Directory Domain Services Architecture
      1. Domain Controllers
         1. Primary Domain Controller (PDC) Emulator
         2. Additional Domain Controllers
         3. Global Catalog Servers
      2. Domain Structure
         1. Single Domain Environments
         2. Multi-Domain Forests
         3. Organizational Units (OUs)
      3. Trust Relationships
         1. Transitive Trusts
         2. Non-Transitive Trusts
         3. External Trusts
         4. Forest Trusts
   3. Security Principals
      1. User Accounts
         1. Domain User Accounts
         2. Local User Accounts
         3. Built-in User Accounts
      2. Computer Accounts
         1. Domain Computer Accounts
         2. Computer Account Authentication
         3. Machine Account Passwords
      3. Service Accounts
         1. Domain Service Accounts
         2. Local Service Accounts
         3. Managed Service Accounts (MSAs)
         4. Group Managed Service Accounts (gMSAs)
      4. Group Accounts
         1. Security Groups
         2. Distribution Groups
         3. Built-in Groups
   4. Security Identifiers (SIDs)
      1. SID Structure and Format
      2. Well-Known SIDs
      3. Domain SIDs
      4. Relative Identifiers (RIDs)
      5. SID History
   5. Access Tokens
      1. Token Structure
      2. Primary Tokens
      3. Impersonation Tokens
      4. Token Privileges
      5. Group Memberships in Tokens
      6. Token Integrity Levels
   6. Local Security Authority (LSA)
      1. LSA Architecture
      2. Authentication Packages
      3. Security Support Providers (SSPs)
      4. LSA Secrets
      5. LSA Policy Database
   7. Security Account Manager (SAM)
      1. SAM Database Structure
      2. Local Account Storage
      3. Password Storage in SAM
      4. SAM Registry Hive
      5. Interaction with LSA