Last updated: April 29, 2026
Kerberos is 35+ years old. It was designed at MIT in 1988 for a specific threat model (one network, trusted users, malicious insiders rare). Active Directory bolted Kerberos onto Windows networks starting in 2000. The threat model never updated. Today, every Active Directory compromise report mentions Kerberos — Kerberoasting, AS-REP roasting, Golden Tickets, Silver Tickets, constrained delegation abuse, S4U2Self, resource-based constrained delegation. This module is about why Kerberos keeps producing attacks.
Why this happens
Kerberos has design features that made sense in 1988:
- Credentials as symmetric secrets (the user’s password hashes the session key)
- Tickets are data blobs that can be transferred and replayed until they expire
- Timestamps for replay protection (assumes synchronized clocks)
- Cross-realm trust bridges different networks (assumes realms trust each other)
- Delegation (A can act as B) for multi-hop service chains
Each of these features, in a 2026 network with attacker-controlled endpoints, becomes an attack. The attacker extracts tickets from memory. The attacker forges tickets using captured key material. The attacker abuses delegation to impersonate privileged accounts. The protocol works exactly as designed — and the design enables modern attacks.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.