Kerberos Honeypot Enterprise
The Kerberos service emulates a Key Distribution Center (KDC). It is designed to detect Active Directory credential attacks: AS-REP roasting, Kerberoasting and golden/silver ticket testing.
Configuration
Kerberos services are configured from the Enterprise dashboard. Open Trapsters, select a device, go to the Services tab, and enable the Kerberos service.
VM deployments only
The Kerberos service is only available on VM deployments (Proxmox, VMware, Hyper-V, KVM). It is not supported on Docker or Kubernetes. See Trapsters: deployment constraints.
Options
| Option | Description |
|---|---|
| Realm | The Kerberos realm (e.g. CORP.LOCAL) |
| Domain controller hostname | The name Trapster presents as a DC |
Match your AD realm
Set the realm to match your actual Active Directory domain. Attackers who enumerate your network expecting a real KDC will target the honeypot automatically.
What it detects
| Attack | Signal |
|---|---|
| AS-REP roasting | Authentication request for a user with pre-auth disabled |
| Kerberoasting | TGS request for a service account SPN |
| Password spray | Repeated AS-REQ with different usernames |
| Credential reuse | Valid-looking ticket request using harvested credentials |
What gets captured
| Event | Fields |
|---|---|
| Connection made | Source IP |
| Login attempt | Attack type (AS-REQ, TGS-REQ), username targeted, SPN requested (Kerberoasting) |
