Authentication

How Authentication Works

Passwords, hashes, tokens, Kerberos, and NTLM — the systems you'll be attacking

13 min readUpdated 2026-04-18
#hashing#kerberos#ntlm#tokens#oauth#mfa
TL;DR
  • Authentication proves identity — passwords, certificates, tokens, and biometrics are all just different proofs
  • Passwords are never stored in plaintext (if the system is sane) — they're stored as hashes
  • NTLM and Kerberos are the two Windows authentication protocols — each has distinct attack paths
  • Tokens (JWT, session cookies) are bearer credentials — whoever has the token IS authenticated
  • MFA raises the bar significantly — understanding how each factor works shows you where it can be bypassed

What Authentication Actually Is

Authentication answers one question: are you who you claim to be?

The three factors:

FactorDescriptionExample
Something you knowSecret knowledgePassword, PIN, security question
Something you havePhysical or digital possessionHardware token, phone (TOTP), smart card
Something you areBiometricFingerprint, face ID

MFA combines two or more factors. Bypassing MFA means either compromising a factor or attacking the implementation — not the factor itself.

Password Hashing — Why It Matters

Passwords must never be stored in plaintext. Instead, they're put through a one-way hash function. You can't reverse a hash — but you can hash known passwords and compare.

step 1User sets password'hunter2'
step 2Hash functionalgorithmSHA-256, bcrypt, NTLM...
step 3Hash stored5f4dcc3b5aa...
step 4Login attemptHash input, compare
step 5Match = accessOr crack offline

Common Hash Algorithms

AlgorithmFormatUsed whereCrackable?
MD55f4dcc3b5aa765d61d8327deb882cf99Legacy, still commonVery fast — use GPU
SHA-12aae6c35c94fcfb415dbe95f408b9ce91ee846edOld web appsFast
SHA-25664 hex charsModern checksumsFast — but salting helps
bcrypt$2b$12$...Unix passwordsVery slow — GPU-resistant
NTLM8846f7eaee8fb117ad06bdd830b7586cWindows authModerate — no salt
NetNTLMv2user::domain:challenge:...Windows network authModerate — must capture challenge
sha512crypt$6$...Modern Linux /etc/shadowSlow
Salt

A salt is random data added to the password before hashing. It means two users with the same password get different hashes. It kills precomputed rainbow table attacks. bcrypt, sha512crypt, and Argon2 salt automatically. MD5 and NTLM do not.

Linux Password Storage

Linux stores hashes in /etc/shadow (root-readable only). /etc/passwd contains user info but not hashes (the x means "look in shadow").

$6$rounds=5000$salt$hash
$6
algorithm: $1=MD5, $5=SHA-256, $6=SHA-512, $y=yescrypt
rounds=5000
iteration count (higher = slower to crack)
salt
random salt — prevents rainbow table attacks
hash
the actual password hash
bash
# If you have root or /etc/shadow access:
cat /etc/shadow | grep -v '!\*' | cut -d: -f1,2  # Show hashed accounts
# Copy hash to hashcat:
hashcat -m 1800 hash.txt /usr/share/wordlists/rockyou.txt  # $6$ = mode 1800

Windows Authentication — NTLM

NTLM (NT LAN Manager) is Windows' legacy authentication protocol. Still everywhere.

How NTLM works (challenge/response):

NTLM Challenge-Response
ClientServer
ClientServerNEGOTIATE
ServerClientCHALLENGE (random 8 bytes)
ClientServerRESPONSE (NT hash of challenge)
ServerClientaccess granted / denied

Why NTLM is weak:

  • The NT hash is derived directly from the password with no salt
  • The challenge/response (NetNTLMv2) can be captured over the network and cracked offline
  • Pass-the-Hash: you don't need the password — the hash itself authenticates you in many configurations
$responder -I eth0 -rdwv
Poison LLMNR/NBT-NS/mDNS queries to capture NetNTLMv2 hashes from Windows clients
-Ieth0
Network interface to listen on
-r
Enable answers for NETBIOS wredir suffix queries
-d
Enable answers for NETBIOS domain suffix queries
-w
Start WPAD rogue proxy server
-v
Verbose output — show all captured hashes

Windows Authentication — Kerberos

Kerberos is the modern Windows authentication protocol, used in Active Directory environments. It's ticket-based — no password ever traverses the network.

Kerberos Flow (Simplified)

Kerberos Authentication Flow
UserKDC (Domain Controller)Target Service
UserKDCAS-REQ (user + timestamp)
KDCUserAS-REP (TGT, krbtgt encrypted)
UserKDCTGS-REQ (TGT + service name)
KDCUserTGS-REP (service ticket)
UserTarget Svcservice ticket

Kerberos Attack Paths

AttackWhat it exploits
KerberoastingRequest service tickets for SPNs, crack offline
AS-REP RoastingAccounts with pre-auth disabled → crack TGT offline
Pass-the-TicketSteal and use Kerberos tickets from memory
Golden TicketForge TGTs using the krbtgt hash — unlimited domain access
Silver TicketForge service tickets using service account hash
Overpass-the-HashConvert NTLM hash into a Kerberos ticket
Kerberoasting

Any domain user can request a service ticket for any SPN. The ticket is encrypted with the service account's password hash. If the service account has a weak password, you crack it offline with zero detection risk. This is one of the most common Active Directory attacks.

Web Authentication — Sessions and Tokens

Session Cookies

Traditional web authentication:

  1. User submits username + password
  2. Server validates, creates session record, generates session ID
  3. Session ID sent to browser as cookie
  4. Every subsequent request includes the cookie

Attacks: Session fixation, cookie theft (XSS), brute force session IDs if they're weak.

Session ID in a cookie:

Set-Cookie: PHPSESSID=a3fWa; HttpOnly; Secure; SameSite=Strict
PHPSESSID=a3fWa
session ID value — should be random and unpredictable
HttpOnly
no JS access — blocks XSS cookie theft
Secure
HTTPS only — blocks sniffing
SameSite=Strict
not sent on cross-site requests — CSRF protection

JWT (JSON Web Tokens)

JWTs are self-contained tokens. No server session storage needed — the token carries the claims.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
header (base64) — algorithm + token type
eyJ1c2VyIjoiYWRtaW4ifQ
payload (base64) — the claims (user, role, exp...)
signature
HMAC or RSA signature — validates the token wasn't tampered

Decoded payload:

json
{
  "user": "admin",
  "role": "user",
  "exp": 1714000000
}

Common JWT attacks:

  • Algorithm confusion — change alg: HS256 to alg: none to bypass signature verification
  • Weak secret — brute force the HMAC secret (hashcat -m 16500)
  • RS256 → HS256 — flip algorithm, sign with the public key as HMAC secret
bash
# Crack JWT secret
hashcat -a 0 -m 16500 token.txt /usr/share/wordlists/rockyou.txt

OAuth 2.0 and SSO

OAuth 2.0 is an authorisation framework, not an authentication protocol — though it's commonly used for both via OIDC (OpenID Connect).

The flow (Authorization Code):

OAuth 2.0 — Authorization Code Flow
UserAppGoogle
UserApplogin
AppGoogleOAuth request
GoogleUserredirect (+ authorization code)
AppGoogleexchange code for token
GoogleAppaccess token
AppUserlogged in

Attack surface:

  • Redirect URI manipulation — steal the code by injecting an attacker-controlled redirect
  • State parameter bypass — missing CSRF protection in OAuth flow
  • Token leakage — access tokens in logs, URLs, Referer headers
  • Open redirects — chain with redirect URI validation to exfiltrate codes

MFA — How It Works and Where It Breaks

MFA TypeHow it worksBypass path
TOTP (Google Auth)Time-based 6-digit code (RFC 6238)Phishing real-time code, SIM swap
SMS OTPOne-time code via textSIM swap, SS7 attacks, phishing
Hardware token (FIDO2)Cryptographic challenge/responsePhysical theft, supply chain
Push notificationApp-based approve/denyMFA fatigue (spam until user approves)
Email OTPCode to emailCompromise the email account
MFA Fatigue

Send an MFA push notification repeatedly at 2am. Some percentage of users will tap "Approve" just to stop the notifications. This is a documented real-world attack technique used in major breaches.

Credential Storage — Where Passwords Hide

LocationWhat's thereHow to access
/etc/shadowLinux user hashesRead as root
Windows SAMLocal user NTLM hashesSYSTEM privileges required
LSASS processLogged-in user hashes + Kerberos ticketsMimikatz, ProcDump as SYSTEM
NTDS.ditAll AD user hashesDomain Admin + VSS or DCSync
Browser profilesSaved passwords (encrypted)Tools like LaZagne, SharpWeb
Environment variablesAPI keys, passwords in configenv, printenv, /proc/self/environ
Config filesHardcoded credentialsGrep recursively in app directories

Operational Notes

  • NTLM vs NetNTLMv2 — they sound similar but are different. NTLM hash = crackable directly, usable in Pass-the-Hash. NetNTLMv2 = network challenge/response, must be cracked before use, cannot pass-the-hash.
  • bcrypt cost factor$2b$12$ means 2^12 = 4096 iterations. Doubling the cost factor doubles crack time. $2b$10$ is more common and faster to crack.
  • Credential stuffing vs brute force — stuffing uses known breached credentials against new targets. Brute force generates all combinations. Stuffing is orders of magnitude more effective in practice.

What to Read Next

  • Password Attacks — put this theory into practice with Hashcat, John, and Responder
  • Active Directory Enumeration — Kerberos and NTLM attacks in their natural habitat
  • Web Application Analysis — session, cookie, and JWT attacks in web application context
← PreviousLinux Fundamentals for HackersNext →Web Fundamentals
← back to knowledge base