Read as
Last updated: April 29, 2026
Forged Kerberos tickets are the ultimate AD compromise. A Golden Ticket grants domain-wide impersonation for 10 years. A Silver Ticket grants service-specific impersonation without ever touching the DC. Understanding both is essential for any practitioner serious about AD.
Forged Kerberos tickets are the ultimate AD compromise. A Golden Ticket grants domain-wide impersonation for 10 years. A Silver Ticket grants service-specific impersonation without ever touching the DC. Understanding both is essential for any practitioner serious about AD.
Kerberos ticket refresher
Two ticket types in a Kerberos flow:
- TGT (Ticket Granting Ticket) — issued by KDC after initial authentication. Encrypted with
krbtgtaccount’s hash. Used to request service tickets. - TGS (Ticket Granting Service / service ticket) — issued by KDC for a specific service. Encrypted with that service account’s hash. Presented to the service for authorization.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants