📘 Cybersecurity Basics: Kerberos Attacks Explained (Golden Ticket & Pass-the-Ticket)
Back2Skills — Understand One of the Most Important Active Directory Attack Concepts
🎯 Why Kerberos Matters in Cybersecurity
In Windows enterprise networks, Kerberos is the system that manages authentication.
👉 Every time a user logs in, Kerberos decides:
- Who you are 👤
- What you can access 🔐
- How long you can stay connected ⏱️
💡 If attackers compromise Kerberos →
they can impersonate users and move freely across the network.
🧠 The Big Analogy: Kerberos = Security Guard Issuing Access Passes
Imagine a secure company building 🏢
- 👮 Security guard → Domain Controller
- 🎫 Ticket → access pass
- 👤 User → employee
- 🚪 Doors → services (files, servers, apps)
👉 You don’t show your password every time.
👉 You show your ticket (pass).
1️⃣ What Is Kerberos? (Very Simple)
✅ Simple Definition
Kerberos is:
An authentication protocol that uses tickets instead of passwords.
Instead of logging in repeatedly:
- You authenticate once
- You receive a ticket
- You use that ticket to access services
2️⃣ Key Kerberos Concepts (CEH Must-Know)
🎫 TGT (Ticket Granting Ticket)
- First ticket you receive after login
- Proves your identity
🎟️ TGS (Service Ticket)
- Allows access to specific services
🧠 Analogy
- TGT = badge proving you work in the company
- TGS = key to a specific room
3️⃣ Why Kerberos Is Targeted by Attackers
Because tickets:
- Can be reused
- Can be stolen
- Sometimes forged
👉 If attacker has valid ticket →
they don’t need your password.
4️⃣ Pass-the-Ticket Attack (Simplest Concept)
✅ Definition
Pass-the-Ticket (PtT) is:
Using a stolen Kerberos ticket to authenticate as another user.
🧠 Analogy
Instead of stealing your password, attacker steals your access badge and uses it directly.
🎯 What It Allows
- Access to services
- Impersonation of user
- Lateral movement
👉 No password required.
5️⃣ Golden Ticket Attack (Most Powerful)
✅ Definition
Golden Ticket is:
A forged Kerberos TGT created using the domain’s secret key.
🧠 Analogy
Instead of stealing a badge, attacker creates a fake master badge that opens everything.
🎯 What It Allows
- Full domain access
- Impersonate any user
- Long-term persistence
- Access to all systems
👉 This is one of the most dangerous AD attacks.
6️⃣ Why Golden Ticket Works
Kerberos relies on a secret:
🔐 KRBTGT account key
If attacker obtains this key:
- They can generate valid tickets
- The system trusts them automatically
7️⃣ Attack Chain Example (CEH Logic)
Typical Kerberos attack scenario:
1️⃣ Initial access
2️⃣ Privilege escalation
3️⃣ Credential dumping
4️⃣ Extract KRBTGT hash
5️⃣ Create Golden Ticket
6️⃣ Full domain compromise
👉 This is a full takeover scenario.
8️⃣ Differences: Golden Ticket vs Pass-the-Ticket
| Feature | Pass-the-Ticket | Golden Ticket |
|---|---|---|
| Uses real ticket? | Yes | No (forged) |
| Needs password? | No | No |
| Scope | Limited | Full domain |
| Persistence | Temporary | Long-term |
🎓 CEH Tip:
Golden Ticket = domain dominance.
9️⃣ Why Kerberos Attacks Are Hard to Detect
Because:
- Tickets look legitimate
- No password brute-force
- Normal authentication behavior
- Long validity periods
👉 Attackers blend into normal traffic.
1️⃣0️⃣ How Defenders Protect Kerberos
Security measures:
✅ Protect KRBTGT account
✅ Rotate KRBTGT password regularly
✅ Use least privilege
✅ Monitor abnormal ticket activity
✅ Limit ticket lifetime
✅ Enable advanced logging
1️⃣1️⃣ Detection (Blue Team View)
Look for:
- Abnormal ticket lifetimes
- Unusual service access
- Logins without password usage
- Suspicious domain admin activity
👉 Kerberos logs are critical.
⚠️ Common Beginner Confusions
❌ Thinking Kerberos = password system
❌ Confusing hashes with tickets
❌ Underestimating Golden Ticket impact
❌ Ignoring role of Domain Controller
👉 Kerberos = trust system, not just login system.
📊 Visual Attack Flow
Login → Kerberos Ticket → Ticket Theft → Pass-the-Ticket → Privilege Escalation → Golden Ticket → Domain Control
🧭 Key Takeaways
🎫 Kerberos uses tickets instead of passwords
🔄 Pass-the-Ticket reuses stolen tickets
🔐 Golden Ticket forges admin access
🧠 KRBTGT key is critical
🎯 Kerberos attacks lead to full domain compromise
👉 Understanding Kerberos = understanding enterprise attacks.
🎓 Ready to Go Further in Cybersecurity?
If you enjoyed this guide, you’ll love the Back2Skills learning platform, built specifically for beginners who want to understand cybersecurity step by step.
✔ Beginner-friendly lessons
✔ Real ethical hacking concepts explained simply
✔ CEH-aligned cybersecurity training
✔ Clear roadmap from basics → ethical hacker