Update 10. September 2025: The slides shown in the YouTube videos are now available on our website.

Kerberos is the default authentication protocol in on-prem Windows environments (and has even reached the Cloud by now). It allows users to seamlessly authenticate to file shares, web apps, databases, and countless other services in a corporate network using their domain credentials.

Originally designed to replace NTLM and fix its long-standing security flaws, Kerberos brought stronger security, but along with that also its own peculiarities, security considerations, and lastly, a whole lot of complexity. And where there’s complexity, there’s also a high chance of misconfiguration, misunderstanding, and ultimately, exploitation.

For penetration testers and red teamers, Kerberos often sits at the heart of privilege escalation and lateral movement in Active Directory. Some vulnerabilities are obvious and quick to fix. Others are deeply embedded, interconnected, and have consequences that are far from intuitive.

To tackle this situation, it is essential to understand how the Kerberos protocol works under the hood. This reveals why and how well-known attacks such as Kerberoasting actually work, and more importantly, how they can be prevented.

That’s why we’re launching a 6-part YouTube series, a technical deep dive into Kerberos. We’ll break down the protocol, dissect well-known attacks, and cover defensive strategies to keep your environment secure.

What’s in the Series?

Part 1: Introduction to the Kerberos Protocol

The first part will focus on the basic functionality of the Kerberos protocol and reveal its inner workings. You will learn about the most important building blocks, concepts, and goals in a Kerberos eco system, what messages are exchanged between the participants, and how they can be analyzed and inspected.

Part 2: Kerberoasting

Part 2 focuses on an attack called Kerberoasting, where adversaries can abuse Kerberos to extract and crack passwords of service accounts in an Active Directory environment.

Part 3: AS-REP Roasting

In part 3, we’ll look at another attack called AS-REP roasting. While sharing similarities with Kerberoasting, this technique allows attackers to target and compromise misconfigured user accounts via the Kerberos protocol.

Part 4: Unconstrained Delegation

Kerberos provides a powerful impersonation feature called delegation. In part 4 of this series, we dive into the oldest and most insecure form of this impersonation mechanism: Unconstrained Delegation. We cover how it works under the hood, how it can be abused by attackers and how you can secure your environment accordingly.

Part 5: Constrained Delegation

Constrained delegation is the successor of unconstrained delegation and the main topic in part 5. While Microsoft has addressed the most prevalent security concerns affecting unconstrained delegation, this newer form of delegation still has potential for abuse and may pose a risk to the security of your infrastructure if configured incorrectly.

Part 6: Resource-Based Constrained Delegation

The last part of the series will focus on the latest addition to the delegation mechanisms available in Kerberos: Resource-Based Constrained Delegation (or RBCD for short). While almost identical to constrained delegation, RBCD opens up new ways for adversaries to exploit misconfigurations in your environment.

Why Watch?

As you can see, there is a lot to talk about. In this video series we will cover both the offensive and defensive side of Kerberos and highlight important aspects for attackers as well as defenders. So whether you are working as a penetration tester, system engineer, or security consultant, we are sure that this series will give you the insights you need to handle Kerberos with confidence.

When and Where?

Starting on September 2, 2025, two videos will be released each week on our YouTube channel. Keep an eye on this playlist so you don’t miss any new releases!

You can also find the slides shown in the YouTube videos on our website.