Practical study of the Kerberos protocol: attacks, detection and development of detection rules
Abstract
Practical study of the Kerberos protocol: attacks, detection and development of detection rules
Incoming article date: 21.12.2024This article examines the practical aspects of using the Kerberos authentication protocol. It provides a brief historical background and describes the main operational principles and characteristics of the protocol that may lead to vulnerabilities. Exploitation of these vulnerabilities can allow an attacker to maintain a persistent presence in a domain environment. In the course of the study, the potential for an attacker to establish domain persistence is investigated through attacks such as Kerberoasting, brute-forcing hashes, and creating Golden Tickets. These activities are carried out using tools designed for penetration testing. Special attention is devoted to assessing the subsequent negative consequences of unauthorized access to domain resources. The study analyzes methods for detecting attacks, including the development of rules to monitor suspicious activity. The article underscores the importance of promptly identifying real-world threat vectors and reinforcing security measures within domain infrastructures. Discussion of the proposed set of attack vectors helps create a more effective penetration testing plan and strengthen monitoring. In particular, the paper examines the process of obtaining Ticket-Granting Tickets, as well as ways to compromise and further exploit static credentials. It is highlighted that the Key Distribution Center (KDC) is a critical component requiring additional oversight and protection. Practical recommendations are provided on monitoring event logs and configuring Intrusion Detection Systems (IDS) for timely detection of anomalous activities. Thus, the central idea of this work is to demonstrate the relevance and significance of Kerberos in corporate networks, while highlighting both its strong points and possible risks. The results emphasize the importance of combining an in-depth understanding of Kerberos functionality with practical security measures to preserve system integrity and reduce risks.
Keywords: pinning, authentication protocol, access level, Kerberos, attack detection, attacker, Golden Ticket, Kerberoasting, attack detection, monitoring