Kerberos

Kerberos is the default authentication protocol in Active Directory environments and is fundamental to Windows domain security. The protocol operates through a series of ticket exchanges involving the Authentication Server (AS) and the Ticket Granting Server (TGS), both components of the Key Distribution Center. Users authenticate once and receive a Ticket Granting Ticket (TGT) that allows them to request service tickets without re-entering credentials.

While Kerberos provides strong authentication, it is subject to several well-known attacks. Kerberoasting targets service accounts by requesting service tickets and cracking the encrypted portions offline. AS-REP roasting exploits accounts that do not require pre-authentication. Golden Ticket attacks use a compromised KRBTGT account hash to forge arbitrary TGTs, granting persistent domain-wide access. Silver Ticket attacks forge service tickets for specific services.

Securing Kerberos involves using strong, long passwords for service accounts, enabling AES encryption over weaker RC4, requiring pre-authentication for all accounts, regularly rotating the KRBTGT password, monitoring for anomalous ticket requests, and implementing Privileged Access Management solutions. Security teams should audit Service Principal Names and use tools like BloodHound to identify Kerberoastable accounts.