Post cover image

June 6, 2026

Windows Authentication Internals: NTLM, Kerberos, Pass-the-Hash, and Pass-the-Ticket

Learn the fundamentals of NTLM and Kerberos

Jackson

4 min read

Hello People, Jayakumar AKA Dhilla here with another important security topic to discuss. I hope you learn something usefull and get benefitted from here :)

Introduction

Every time you log into a Windows domain or access a network resource, authentication protocols work behind the scenes to verify your identity. Understanding these mechanisms is essential for cybersecurity professionals because many enterprise attacks exploit them. In this article, we'll explore NTLM, Kerberos, and the concepts behind Pass-the-Hash and Pass-the-Ticket attacks.

Why Authentication Matters

Authentication is the process of verifying that a user is genuinely who they claim to be.

A secure authentication system should ideally ensure that:

  • Passwords are never transmitted in plain text.
  • Credentials cannot be easily intercepted.
  • Access can be granted securely across multiple services.

Windows primarily uses two authentication protocols:

  1. NTLM (NT LAN Manager)
  2. Kerberos

While both achieve the same goal, they work in very different ways.

Understanding NTLM

NTLM is Microsoft's older challenge-response authentication protocol. It was designed before Active Directory became widespread and is still used today for backward compatibility.

How NTLM Works

Instead of sending the actual password across the network:

  1. The user enters their password.
  2. Windows generates a cryptographic hash of that password.
  3. The server sends a random challenge.
  4. The client encrypts that challenge using the password hash.
  5. The server verifies the response.

Because the password itself is never transmitted, NTLM was considered secure for its time.

The Problem

Although the password is protected, the hash effectively becomes a substitute for the password. If an attacker manages to steal the NTLM hash from memory, they may be able to authenticate without ever knowing the original password.

This concept forms the basis of the Pass-the-Hash attack.

Understanding Kerberos

Kerberos is the default authentication protocol in modern Active Directory environments.

Rather than relying solely on password hashes, Kerberos uses a ticket-based system.

Key Components

  • Client (User)
  • Key Distribution Center (KDC)
  • Authentication Server (AS)
  • Ticket Granting Server (TGS)
  • Target Service

Simplified Authentication Flow:

Step 1: Initial Login

The user enters their credentials.

The Authentication Server validates them and issues a Ticket Granting Ticket (TGT).

Step 2: Requesting a Service

When the user wants to access a resource, they present the TGT to the Ticket Granting Server.

The TGS issues a Service Ticket.

Step 3: Accessing the Resource

The user presents the Service Ticket to the destination server, which verifies it and grants access.

The major advantage is that the user's password does not need to be repeatedly transmitted across the network.

NTLM vs Kerberos

FeatureNTLMKerberosAuthentication MethodChallenge-ResponseTicket-BasedDefault in Modern DomainsNoYesPassword Hash UsageDirectly involvedUsed to obtain ticketsPerformanceSlowerFasterMutual AuthenticationLimitedSupportedCommon AttackPass-the-HashPass-the-Ticket

What is Pass-the-Hash?

Pass-the-Hash (PtH) is a credential theft technique where an attacker authenticates using a stolen NTLM hash instead of the actual password.

The attacker does not need to crack or decrypt the hash.

If the operating system accepts the hash as proof of identity, access can be granted.

Why It Works

Windows authentication often treats possession of the correct hash as equivalent to knowing the password itself.

Attackers commonly obtain these hashes from:

  • Memory dumps
  • Compromised administrator sessions
  • Credential caching
  • Misconfigured systems

Once obtained, the attacker may move laterally across systems within the network.

What is Pass-the-Ticket?

In Kerberos environments, attackers target tickets instead of password hashes.

If a valid Ticket Granting Ticket or Service Ticket is stolen, it may be reused to access resources without re-entering credentials.

This technique is known as Pass-the-Ticket (PtT).

Unlike Pass-the-Hash, the attacker abuses the trust placed in Kerberos tickets.

Since tickets are already authenticated by the domain controller, presenting a valid stolen ticket can allow unauthorized access.

You people may ask: "In NTLM Pass the hash technique uses the hash to authenticate if the hash is stolen, then the same goes for kerberos when the ticket is stolen right? both are equally vulnerable am i wrong?" because that's what I asked when I came to learn about kerberos…

Yes, both are vulnerable if their authentication artifacts are stolen. However, they are not equally vulnerable, because the things being stolen have different properties.

Kerberos: The ticket is more like a temporary access pass

Imagine Kerberos as an airport.

  1. You show your passport (password) at check-in.
  2. The airline gives you a boarding pass (Ticket Granting Ticket).
  3. You use that boarding pass to get onto specific flights (Service Tickets).

After you've received the boarding pass, you don't keep showing your passport.

If an attacker steals your boarding pass before it expires, they may be able to use it.

That's Pass-the-Ticket.

Why These Attacks Matter

Credential reuse attacks are a major component of modern cyber intrusions.

Many ransomware operators and advanced persistent threat groups follow a similar pattern:

  1. Gain initial access.
  2. Escalate privileges.
  3. Extract credentials.
  4. Move laterally using legitimate authentication mechanisms.
  5. Reach critical infrastructure.

Rather than exploiting software vulnerabilities repeatedly, attackers often exploit trust relationships inside the network.

Defensive Strategies

Organizations can significantly reduce the risk of credential-based attacks by implementing security best practices.

1. Enable Multi-Factor Authentication

Even if credentials are compromised, MFA provides an additional verification layer.

2. Use Credential Guard

Windows Credential Guard isolates sensitive authentication secrets from the operating system.

3. Apply Least Privilege

Users should only have the permissions necessary for their roles.

4. Limit Administrative Access

Dedicated administrator accounts help reduce credential exposure.

5. Monitor Authentication Logs

Unusual login patterns, repeated authentication attempts, and abnormal ticket requests should be investigated.

6. Keep Systems Updated

Security patches often improve protections around authentication and credential handling.

Conclusion

"Attackers don't need your password; they only need something the system trusts."

Windows authentication is far more than a simple username and password check. NTLM and Kerberos were designed to securely verify identities across enterprise environments, but attackers have learned to exploit the trust these systems create.

Understanding how NTLM hashes, Kerberos tickets, Pass-the-Hash, and Pass-the-Ticket attacks work provides valuable insight into both offensive and defensive cybersecurity.

For penetration testers, it explains how lateral movement occurs.

For defenders, it highlights why protecting credentials is one of the most important aspects of enterprise security.

Ultimately, modern cybersecurity is not just about preventing malware — it's about protecting trust itself.

Sorry people for the looong lecture, I've included only the important things to know, hope you forgive me and connect with me through the below links :)

https://www.linkedin.com/in/jayakumar-j-16623a250

https://github.com/Dhilla001