Chapter 14

Question 1

Kerberos

Answer 1

KDC (Key Distribution Center) -
Kerberos Authentication Server
- hosts KDC functions
- Ticket granting service
- authentication service
Ticket-granting Ticket for requesting Service Ticket
Tickets can expire
Kerberos principal - user or ticket requester
Uses AES
Uses and used by MS Active Directory

Question 2

RADIUS

Answer 2

RADIUS:
- Encrypts password only
- UDP 1812/1813
RADIUS/TLS:
- for encrypting entire session
- TCP 2083

Question 3

TACACS+

Answer 3

Open standard
Created by Cisco
TCP 49
Separates AAA into their own services
Encrypts all auth info, not just password
Better than RADIUS

Question 4

Internal SSO protocols
(AAA)

Answer 4

Kerberos (most common)
RADIUS
TACACS+

Question 5

Internet/Web SSO protocols

Answer 5

1. SAML - authentication and authorization assertions (exchanged info)
   - Principal, Service Provider, Identity Provider
   - Authen, attribute, authorization statements
2. OAuth - authorization only; uses tokens
3. OpenID - authentication; ID provider
4. OpenID Connect (OIDC) - incorporates OAuth for authorization; JWT for tokens

Question 6

Permission - usually access to info object e.g. file
Right - action
Privilege - permission + right

Question 7

Access control matrix (ACL) - focus on objects
Capability table - focus on user/subject

Question 8

1. Content-dependent access controls - restrict access to data based on the content within an object.
2. Context-dependent access controls - require specific
   activity before granting users access.

Question 9

Access Control Types

Answer 9

1. Discretionary access control - managed by owner via ACL’s
2. Non-discretionary access control - centrally managed by admin
3. Role-based
4. Rule-based - used in firewalls
5. Attribute-based - more advanced implementation of rule-based; used by SDN
6. Mandatory access control - uses labels; lattice; Hierarchical, Compartmentalized, Hybrid
7. Risk-based - considers environment, situation, security policies

Question 10

Access Control attacks

Answer 10

• Password attack
• Dictionary attack
• Brute-force attack
• Spraying attack - circumvent lockouts by rotating across diff accounts
• Credential stuffing - try compromised user credentials on other sites
• Birthday attack - take adv of collisions
• Rainbow table attack - circumvent by salting pwds
• Mimikatz - reads credentials from memory

Question 11

Zero-trust access policy

Answer 11

• Subjects
• Policy engines - decide based on external systems, e.g. threat intel, SIEM devices
• Policy administrators - components that act on decision, to create or remove connections between subject & resource
  Policy Decision Point = Policy engine + policy admin
• Policy enforcement point - work with policy admin to allow / deny access

Question 12

Kerberos attacks

Answer 12

• Overpass the hash (or pass the key) - Mimikatz reads hash and uses it to get TGT
• Pass the ticket - compromised ticket
• Silver ticket - use captured hash to get TGST (for service accounts)
• Golden ticket - access to Kerberos ticket granting account
• Kerberos brute force
• ASPREPRoast - trick Kerberos to send TGT with client credentials, then decrypt client pwd
• Kerberoasting - capture TGST and then decrypt them