For over two decades, Kerberos has stood as the gatekeeper of enterprise Windows environments, silently authenticating billions of requests to file shares, databases, and applications. Designed to replace the flawed NTLM protocol, it brought robust cryptography to the table — but also introduced labyrinthine complexity. This complexity, as security professionals know all too well, is the breeding ground for misconfigurations and devastating attacks.

Article illustration 1

The three-headed dog Cerberus guards the gates of the underworld in Greek mythology — a fitting metaphor for Kerberos, the guardian of Active Directory. (Image: Compass Security)

Now, Swiss cybersecurity firm Compass Security is aiming to demystify this critical protocol with a comprehensive six-part YouTube series. Slated to launch on September 2, 2025, the series promises a technical deep dive into Kerberos mechanics, its most notorious vulnerabilities, and practical defensive strategies.

"Kerberos sits at the heart of privilege escalation and lateral movement in Active Directory," notes the Compass Security blog announcement. "Some vulnerabilities are obvious... Others are deeply embedded, interconnected, and have consequences that are far from intuitive." The series aims to bridge the gap between theoretical protocol specifications and real-world offensive and defensive operations.

Inside the Series: From Protocol Basics to Delegation Dangers

The journey begins with a foundational breakdown of the Kerberos protocol in Part 1, dissecting its core components, message flows, and underlying concepts. This sets the stage for exploring specific attack vectors:

  • Kerberoasting (Part 2): Attackers exploit service accounts by requesting and cracking their encrypted Kerberos tickets.
  • AS-REP Roasting (Part 3): A variation targeting misconfigured user accounts lacking pre-authentication.
  • Unconstrained Delegation (Part 4): The original (and highly dangerous) impersonation mechanism, allowing attackers to compromise entire systems.
  • Constrained Delegation (Part 5): Microsoft’s more secure successor to unconstrained delegation — but still rife with potential misconfiguration risks.
  • Resource-Based Constrained Delegation (Part 6): The latest delegation model, introducing new attack surfaces if improperly managed.

Each installment will balance offensive techniques used by penetration testers and red teams with actionable defensive measures for system engineers and blue teams. "Understanding how the Kerberos protocol works under the hood reveals why and how well-known attacks... work, and more importantly, how they can be prevented," emphasizes Compass.

Why This Series Matters

Active Directory remains the dominant identity management system in corporate networks, and Kerberos is its lifeblood. Yet, comprehensive, practical resources explaining both its exploitation and hardening are scarce. This series fills that gap, offering nuanced insights applicable to penetration testers, security consultants, and infrastructure architects alike.

The first videos drop on September 2, 2025, with two episodes released weekly on the Compass Security YouTube channel. For security professionals navigating the intricate world of Windows authentication, this deep dive might just be the key to taming the three-headed dog guarding their network.

Source: Compass Security Blog