Active Directory · Term

What is a Kerberos ticket?

Kerberos tickets are how Windows proves identity without sending passwords around. Understanding the TGT and the TGS makes every Active Directory attack, from Kerberoasting to Golden Tickets, click into place. Here is the plain version.

Active Directory · TermAll services
TL;DR

A Kerberos ticket is an encrypted proof of identity issued by a Domain Controller so a user can access services without sending their password. There are two kinds: the Ticket Granting Ticket (TGT), issued at logon and used to request other tickets, and the service ticket (TGS), which grants access to one specific service. The TGT is signed with the KRBTGT key and the TGS with the service account’s key, and those two facts explain most Active Directory ticket attacks.

By John Dill, Red Team Lead, SecureLayer7Updated

What TGT and TGS are

Kerberos avoids sending passwords by using tickets, issued by the Domain Controller acting as the Key Distribution Center (KDC):

  • TGT (Ticket Granting Ticket): issued when you log in, after you prove your identity (pre-authentication). It is your "master pass," signed with the KRBTGT hash, and you present it to request other tickets.
  • TGS (service ticket): when you want a specific service, you exchange your TGT for a TGS for that service. The TGS is encrypted with that service account’s hash.

Services trust the TGS because they trust the KDC that issued it.

Why tickets matter to attackers

Every ticket attack flows from how these are signed:

  • Kerberoasting abuses that a TGS is encrypted with the service account hash, so the attacker requests one and cracks it offline (GetUserSPNs.py -request).
  • AS-REP Roasting abuses accounts that skip pre-authentication to get crackable material before logon.
  • Golden Ticket forges a TGT using the KRBTGT hash; Silver Ticket forges a TGS using a service hash.
  • Pass-the-Ticket steals a real ticket from memory and reuses it.

Knowing which key signs which ticket tells you which secret each attack is really after.

How to defend the ticket system

  • Use gMSAs and strong service-account passwords so TGS encryption cannot be cracked (stops Kerberoasting and Silver Tickets).
  • Protect the KRBTGT hash (Tier 0 discipline, regular rotation) to prevent Golden Tickets.
  • Require Kerberos pre-authentication everywhere to stop AS-REP Roasting.
  • Prefer AES over RC4 for ticket encryption.
  • Protect ticket memory with Credential Guard to limit Pass-the-Ticket.

References

  1. [1]Microsoft: Kerberos Authentication Overview(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.