ANALYSIS OF KERBEROS PROTOCOL VULNERABILITIES IN ACTIVE DIRECTORY ENVIRONMENT

Abstract

Kerberos is one of the most widely used authentication protocols in modern corporate environments and serves as a core security mechanism in Microsoft Active Directory infrastructures. Despite its strong cryptographic foundations and long-term adoption, Kerberos remains vulnerable to a range of attacks caused by architectural design choices, trust assumptions, and configuration weaknesses. These vulnerabilities allow attackers to compromise authentication processes, escalate privileges, and maintain long-term persistence within a domain environment. This paper presents a comprehensive analysis of the Kerberos authentication protocol in Active Directory with a focus on typical attack vectors, exploitation techniques, and systemic weaknesses. The study examines the internal architecture of Kerberos, including the role of the Key Distribution Center, Authentication Server, and Ticket Granting Service, and analyzes how trust in ticket-based authentication can be abused when critical secrets are compromised. Special attention is paid to the security implications of the krbtgt account, whose compromise enables the creation of forged Ticket Granting Tickets and undermines the entire trust model of the domain. The research analyzes widely used attack techniques such as Golden Ticket, Silver Ticket, Pass-the-Ticket, Kerberoasting, and AS-REP Roasting. These attacks demonstrate that even low-privileged user accounts can serve as an entry point for complex multi-stage intrusions. The paper highlights the role of NTLM hashes, service account misconfigurations, and credential exposure in the LSASS process as key enablers of these attacks. It is shown that many Kerberos-based attacks can bypass traditional security monitoring mechanisms, particularly when forged tickets are used without direct interaction with domain controllers. In addition, the paper reviews recent academic and practical research on Kerberos attack detection, including behavioral analysis of authentication logs, anomaly detection, and machine learning-based approaches. While such methods improve detection accuracy, they often suffer from false positives and limited adaptability to evolving attack techniques. This emphasizes the need for flexible and context-aware security monitoring solutions. Based on the conducted analysis, practical recommendations are formulated to enhance the resilience of Kerberos-based infrastructures. These include strengthening account management policies, protecting critical processes, regularly rotating sensitive credentials, and improving monitoring of ticket usage patterns. The results of this study contribute to a deeper understanding of Kerberos security risks and provide a foundation for developing more effective defensive strategies against advanced attacks targeting Active Directory authentication mechanisms.