Skip to content

Kerberos Honeypot Enterprise

The Kerberos service emulates a Key Distribution Center (KDC). It is designed to detect Active Directory credential attacks: AS-REP roasting, Kerberoasting and golden/silver ticket testing.

Configuration

Kerberos services are configured from the Enterprise dashboard. Open Trapsters, select a device, go to the Services tab, and enable the Kerberos service.

VM deployments only

The Kerberos service is only available on VM deployments (Proxmox, VMware, Hyper-V, KVM). It is not supported on Docker or Kubernetes. See Trapsters: deployment constraints.

Options

OptionDescription
RealmThe Kerberos realm (e.g. CORP.LOCAL)
Domain controller hostnameThe name Trapster presents as a DC

Match your AD realm

Set the realm to match your actual Active Directory domain. Attackers who enumerate your network expecting a real KDC will target the honeypot automatically.

What it detects

AttackSignal
AS-REP roastingAuthentication request for a user with pre-auth disabled
KerberoastingTGS request for a service account SPN
Password sprayRepeated AS-REQ with different usernames
Credential reuseValid-looking ticket request using harvested credentials

What gets captured

EventFields
Connection madeSource IP
Login attemptAttack type (AS-REQ, TGS-REQ), username targeted, SPN requested (Kerberoasting)