๐ Cybersecurity Basics: Kerberos Attacks Explained (Golden Ticket & Pass-the-Ticket)
Back2Skills โ Understand One of the Most Important Active Directory Attack Concepts
๐ฏ Why Kerberos Matters in Cybersecurity
In Windows enterprise networks, Kerberos is the system that manages authentication.
๐ Every time a user logs in, Kerberos decides:
- Who you are ๐ค
- What you can access ๐
- How long you can stay connected โฑ๏ธ
๐ก If attackers compromise Kerberos โ
they can impersonate users and move freely across the network.
๐ง The Big Analogy: Kerberos = Security Guard Issuing Access Passes
Imagine a secure company building ๐ข
- ๐ฎ Security guard โ Domain Controller
- ๐ซ Ticket โ access pass
- ๐ค User โ employee
- ๐ช Doors โ services (files, servers, apps)
๐ You donโt show your password every time.
๐ You show your ticket (pass).
1๏ธโฃ What Is Kerberos? (Very Simple)
โ Simple Definition
Kerberos is:
An authentication protocol that uses tickets instead of passwords.
Instead of logging in repeatedly:
- You authenticate once
- You receive a ticket
- You use that ticket to access services
2๏ธโฃ Key Kerberos Concepts (CEH Must-Know)
๐ซ TGT (Ticket Granting Ticket)
- First ticket you receive after login
- Proves your identity
๐๏ธ TGS (Service Ticket)
- Allows access to specific services
๐ง Analogy
- TGT = badge proving you work in the company
- TGS = key to a specific room
3๏ธโฃ Why Kerberos Is Targeted by Attackers
Because tickets:
- Can be reused
- Can be stolen
- Sometimes forged
๐ If attacker has valid ticket โ
they donโt need your password.
4๏ธโฃ Pass-the-Ticket Attack (Simplest Concept)
โ Definition
Pass-the-Ticket (PtT) is:
Using a stolen Kerberos ticket to authenticate as another user.
๐ง Analogy
Instead of stealing your password, attacker steals your access badge and uses it directly.
๐ฏ What It Allows
- Access to services
- Impersonation of user
- Lateral movement
๐ No password required.
5๏ธโฃ Golden Ticket Attack (Most Powerful)
โ Definition
Golden Ticket is:
A forged Kerberos TGT created using the domainโs secret key.
๐ง Analogy
Instead of stealing a badge, attacker creates a fake master badge that opens everything.
๐ฏ What It Allows
- Full domain access
- Impersonate any user
- Long-term persistence
- Access to all systems
๐ This is one of the most dangerous AD attacks.
6๏ธโฃ Why Golden Ticket Works
Kerberos relies on a secret:
๐ KRBTGT account key
If attacker obtains this key:
- They can generate valid tickets
- The system trusts them automatically
7๏ธโฃ Attack Chain Example (CEH Logic)
Typical Kerberos attack scenario:
1๏ธโฃ Initial access
2๏ธโฃ Privilege escalation
3๏ธโฃ Credential dumping
4๏ธโฃ Extract KRBTGT hash
5๏ธโฃ Create Golden Ticket
6๏ธโฃ Full domain compromise
๐ This is a full takeover scenario.
8๏ธโฃ Differences: Golden Ticket vs Pass-the-Ticket
| Feature | Pass-the-Ticket | Golden Ticket |
|---|---|---|
| Uses real ticket? | Yes | No (forged) |
| Needs password? | No | No |
| Scope | Limited | Full domain |
| Persistence | Temporary | Long-term |
๐ CEH Tip:
Golden Ticket = domain dominance.
9๏ธโฃ Why Kerberos Attacks Are Hard to Detect
Because:
- Tickets look legitimate
- No password brute-force
- Normal authentication behavior
- Long validity periods
๐ Attackers blend into normal traffic.
1๏ธโฃ0๏ธโฃ How Defenders Protect Kerberos
Security measures:
โ
Protect KRBTGT account
โ
Rotate KRBTGT password regularly
โ
Use least privilege
โ
Monitor abnormal ticket activity
โ
Limit ticket lifetime
โ
Enable advanced logging
1๏ธโฃ1๏ธโฃ Detection (Blue Team View)
Look for:
- Abnormal ticket lifetimes
- Unusual service access
- Logins without password usage
- Suspicious domain admin activity
๐ Kerberos logs are critical.
โ ๏ธ Common Beginner Confusions
โ Thinking Kerberos = password system
โ Confusing hashes with tickets
โ Underestimating Golden Ticket impact
โ Ignoring role of Domain Controller
๐ Kerberos = trust system, not just login system.
๐ Visual Attack Flow
Login โ Kerberos Ticket โ Ticket Theft โ Pass-the-Ticket โ Privilege Escalation โ Golden Ticket โ Domain Control
๐งญ Key Takeaways
๐ซ Kerberos uses tickets instead of passwords
๐ Pass-the-Ticket reuses stolen tickets
๐ Golden Ticket forges admin access
๐ง KRBTGT key is critical
๐ฏ Kerberos attacks lead to full domain compromise
๐ Understanding Kerberos = understanding enterprise attacks.
๐ Ready to Go Further in Cybersecurity?
If you enjoyed this guide, youโll love the Back2Skills learning platform, built specifically for beginners who want to understand cybersecurity step by step.
โ Beginner-friendly lessons
โ Real ethical hacking concepts explained simply
โ CEH-aligned cybersecurity training
โ Clear roadmap from basics โ ethical hacker