How Kerberos works

1. The password of the user is converted to NTLM hash and the timestamp is encrypted with the user NTLM Hash which send AS-REQ to the KDC

2. The KDC reply with a Ticket Granting Ticket (TGT) which is encrypted using the NTLM Hash of the KRBTGT account and send to the user in AS-REP

3. The user send the TGT which is encrypted using the KRBTGT account NTLM Hash to the KDC and request a Ticket Granting Service (TGS) and sent to KDC as TGS-REQ

4. The KDC response with a TGS which is encrypted using the target service account NTLM Hash and send it to user as TGS-REP

5. The user send the TGS to the server hosting the service in AP-REQ

KRB_AS_REQ

The user sends his username and the timestamp encrypted with the user Hash and the user specifies the SPN KRBTGT so that the KDC will know that the user is trying to get TGT

KRB_AS_REP

The KDC reply contains the TGT that is encrypted with the KRBTGT Hash and the session key encrypted with the User Hash

KRP_TGS_REQ