1. What is the primary role of the Key Distribution Center (KDC) in Kerberos?
To store and enforce access control lists on all AD objects To act as a centralized authentication authority that issues encrypted tickets to broker trust between users and services To encrypt all network traffic between clients and servers To verify that users have the correct permissions before granting access to resources
2. What is the key difference between a TGT and a TGS ticket?
A TGT is encrypted with the user's password hash; a TGS ticket is encrypted with the KDC's key A TGT proves the user's identity to the KDC and is used to request service-specific TGS tickets, which are encrypted with the target service's key A TGT grants access to all services in the domain; a TGS ticket is only needed for cross-domain access A TGT is issued once and never expires; a TGS ticket expires after each use
3. Why does the design of Kerberos make the krbtgt account the most sensitive account in the domain?
Because the krbtgt account has Domain Admin privileges by default Because the krbtgt account's key encrypts every TGT, so compromising it allows forging identity tickets for any user Because the krbtgt account stores all user passwords in plaintext Because the krbtgt account processes all LDAP queries in the domain
4. An interviewer asks: 'If Kerberos avoids sending passwords over the network, how do Kerberos-based attacks still work?' Which answer best demonstrates understanding?
Kerberos attacks intercept passwords in transit despite the protocol's design Kerberos attacks exploit the fact that tickets are encrypted with account password hashes — if the password is weak, the ticket can be cracked offline to recover it Kerberos attacks only work when NTLM fallback is enabled Kerberos attacks require the attacker to already be a Domain Admin
5. What are the three phases of a Kerberos authentication exchange?
Login, Ticket Request, Access Grant Challenge, Response, Verification AS exchange (prove identity, receive TGT), TGS exchange (present TGT, receive service ticket), AP exchange (present service ticket to target service) Encrypt, Transmit, Decrypt
6. Why is it a misconception to say 'Kerberos grants access to resources'?
Because Kerberos only works for Windows resources, not all network resources Because Kerberos proves identity (authentication) but does not decide what you are allowed to do — authorization happens at the service level Because Kerberos only handles initial login, not subsequent resource access Because only NTLM can grant access to network resources