Forged Kerberos tickets are the ultimate AD compromise. A Golden Ticket grants domain-wide impersonation for 10 years. A Silver Ticket grants service-specific impersonation without ever touching the DC. Understanding both is essential for any practitioner serious about AD.
Kerberos ticket refresher
Two ticket types in a Kerberos flow:
- TGT (Ticket Granting Ticket) β issued by KDC after initial authentication. Encrypted with
krbtgtaccount’s hash. Used to request service tickets. - TGS (Ticket Granting Service / service ticket) β issued by KDC for a specific service. Encrypted with that service account’s hash. Presented to the service for authorization.
Golden Ticket = forged TGT
If attacker extracts the krbtgt hash (via DCSync or NTDS.dit), they can forge their own TGT. The KDC has no way to tell it apart from a legitimate one because krbtgt’s hash is what validates TGT signatures.
π Intermediate Module Β· Basic Tier
Continue reading with Basic tier (βΉ499/month)
You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
5 more sections locked below