Skip to content
    June 28, 2023

    Authentication Protocols 101: NTLM, Kerberos, LDAP and RADIUS

    Establishing the right authentication protocol for your business is one way to achieve better security, but the process can be overwhelming. 

    We’ll walk you through some common authentication protocols and how they work. 

    What Is an Authentication Protocol?

    An authentication protocol enables a receiving entity (such as a server) to verify the user identity of another party. User authentication protocols secure communication between computer networks.

    What is NTLM and How Does It Work?

    NTLM (Windows NT LAN Manager) is a suite of protocols used to authenticate a client to a resource in an Active Directory domain. This suite includes NTLMv1, NTLMv2, and NTLM2 Session protocols. 

    NTLM was the primary method of authentication prior to Windows 2000 and is vulnerable to many different attacks like pass-the-hash and brute force. However, many still widely deployed to maintain compatibility with older systems that cannot use newer cryptography.

    NTLM uses a challenge-response method of authentication. This is where the domain controller or target computer checks the stored hash of the client to make sure it is a match. When there is a match, it allows the client access to the resource. The system stores NTLM passwords either in the SAM database of the registry (when local authentication is happening) or on the domain controller in the ntds.dit file.

    1. Client makes an authentication request
    2. The resource being accessed challenges that authentication with a 16 bit random number.
    3. The client takes the challenge along with the stored hash (that the user entered) and responds
    4. The resource being accessed forwards that response (combination of the username, challenge, and response) to the domain controller.
    5. The domain controller receives that forwarded response. If it matches against the stored hash in ntds.dit, it returns the access status and allows or denies access to the resource.

    What is Kerberos and How Does It Work?

    Microsoft replaced NTLM with Kerberos as the preferred method of authentication starting with Windows 2000. Kerberos has implementations across other operating systems and is maintained by The Kerberos Consortium as an open-source project. Microsoft created its own version of Kerberos and has used it as the go-to protocol for authentication across its platforms.

    Kerberos adds in secret-key cryptography as well as a third-party ticket authorization to make it a more secure method of authentication. The protocol derived its name from the Greek mythology guardian of the underworld, Cerberus the three-headed dog. The three heads in Kerberos are the client, the server, and the Key Distribution Center (KDC). The KDC has the role of both the Authentication Server (AS) and The Ticket Granting Server (TGS).

    1. The client requests an authentication ticket (Ticket Granting Ticket/TGT)
    2. The KDC verifies they are the correct credentials and returns an encrypted TGT and session key
    3. The client stores that TGT until it expires, and then will ask for another once it expires.
    4. The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
    5. TGS sends a valid session key for the resource to the client
    6. The client uses that session key for access

    Learn How To Defend Against Kerberos Attacks>

    What is LDAP and How Does It Work?

    Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. LDAP has been in use since the early 90s and has been a significant part of many networks since. 

    You can use it to not solely authentication. You can also use it to find files and devices on a network, or modify entries in the database. Most environments do not use LDAP for pure authentication, as it is not as secure by default, and easy to misconfigure. For example, LDAP on its own (without configuring LDAPS) sends authentication in plaintext over the network.

    LDAP without the use of TLS/SSL is fairly simple. The client requests information from the LDAP server over port 389. This is called a “bind request” and includes the account name, domain name, as well as the user password. The system checks the password against the bind database, and returns the access or information.

    What is RADIUS and How Does It Work?

    Remote Authentication Dial In User Service (RADIUS) is a client-server network protocol. It was originally designed to authenticate remote users to a dial-in access server and with low-bandwidth conditions in mind. 

    RADIUS authentication begins when the client requests access to a resource through the Remote Access Server (RAS) or Network Access Server (NAS). The RAS passes along the authentication request to the RADIUS server. It then checks the information against a locally stored database file or other external source such as Active Directory. 

    Differences Between Protocols

    Protocol

    Authentication

    Encryption

    Some Common Attacks

    NTLMv1

    Challenge-response

    DES

    Authentication downgrade
    LDAP Relay
    Pass-The-Hash

    NTLMv2

    Challenge-response

    HMAC-MD5

    Pass-The-Hash
    LLMNR/NBT-NS Poisoning
    SMB Relay

    Kerberos

    Third-party ticket

    DES_CBC_CRC

    DES_CBC_MD5

    RC4_HMAC_MD5

    AES128_HMAC_SHA1

    AES256_HMAC_SHA1

    Pass-the-ticket
    Golden Ticket
    Silver Ticket
    Credential stuffing/Brute force
    Encryption downgrade
    DC Shadow
    As-rep roasting
    Kerberoasting

    LDAP

    Makes use of Kerberos, RADIUS, or OAuth

    None

    Account Discovery
    Brute Force
    Domain Enumeration

    Radius

    Centralized

    Many, but most common are:

    EAP-TLS

    PEAP-MSCHAPv2

    EAP-TTLS/PAP

    Response Authenticator
    User-Password Attribute Chiper Design
    Shared Secret Attack
    User-Password Based
    Request Authenticator

    Choosing The Best Protocol For Your Organization

    The right protocol for your environment depends on your existing infrastructure and application needs. All types of authentication methods are susceptible to cyberattacks and come with pros and cons. When considering protocols, ask yourself the following questions: 

    • Which apps require access? 
    • Can this protocol scale with my organization? 
    • Which protocol is my staff most familiar with? 
    • Which is most compatible with my infrastructure and won’t require me to overhaul existing systems? 

    How To Tell What Protocol You Are Using

    To determine what authentication protocol is used, check the network configuration settings on the device or service that you use to authenticate. Here are some steps you can follow:

    • Check the authentication settings on the device or service: This may be in the form of a configuration file, management interface, or GUI. Look for settings related to authentication and security.
    • Look for the authentication protocol used: Depending on the device or service, you may see specific protocol names such as PAP, CHAP, MS-CHAP, or EAP.
    • Check the logs: Many authentication services log authentication attempts and results. Check the logs to see if there is any mention of the authentication protocol used.
    • Use a network analyzer: Network analyzers such as Wireshark can capture and analyze network traffic. By capturing authentication traffic, you can identify the protocol used.
    • Consult the documentation: The documentation for the device or service may provide information on what authentication protocols are supported and how to configure them.

    By following these steps, you can determine what authentication protocol is being used and ensure that the appropriate security measures are in place.

    Insecure Protocols

    There are several insecure authentication protocols that are no longer recommended for use. This is due to their weaknesses and susceptibility to attacks. Here are some examples:

    1. Telnet: Telnet is an unencrypted protocol that transmits login credentials in plaintext, making it susceptible to eavesdropping and interception.
    2. FTP (File Transfer Protocol): FTP also transmits login credentials in plaintext, which can be easily intercepted and used to gain unauthorized access to the system.
    3. SNMP (Simple Network Management Protocol): SNMP uses a weak authentication mechanism that transmits community strings in plaintext, making it vulnerable to attacks such as spoofing and eavesdropping.
    4. HTTP (Hypertext Transfer Protocol): HTTP also transmits login credentials in plaintext, making it vulnerable to interception and replay attacks.
    5. SMB (Server Message Block):  SMB is a protocol used for file sharing on Windows systems. Older versions of SMB (such as SMBv1) are susceptible to vulnerabilities and ransomware attacks such as WannaCry.

    Overall, it is recommended to avoid using insecure authentication protocols and use stronger authentication mechanisms that provide encryption and protection against attacks.

    Going Beyond Authentication

    Finding the right authentication method is one way to get started with your organization’s cybersecurity maturity journey, but it’s just the tip of the iceberg. Having complete visibility across your environment is the ultimate goal. 

    As a cloud-based SIEM+XDR platform, Blumira does things differently by providing more value for better security outcomes, including:

    • Automate Tasks For You – We do all the heavy lifting for your team to save them time, including parsing, creating native third-party integrations, and testing and tuning detection rules to reduce noisy alerts.
    • Faster Time to Security – Our unique approach to detections notifies you of threats other security tools may miss, sending you real-time alerts in under a minute of initial detection to help you respond to threats faster than ever.
    • Easily Meet Compliance – With a year of data retention and deployment that takes minutes to hours, we help you meet cyber insurance and compliance easily and quickly with the team you have today.

    Get your free account and see the value of Blumira today.

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts