Kerberos is at the core of access management in most Windows domains, and tickets serve as the tokens that enable clients to access specific services. Kerberos ticket forging is a high-value capability for red teams, enabling them to understand authentication mechanisms in Active Directory environments. For ethical hackers, forging these tickets (Golden Ticket and Silver Ticket) replaces noisy credential replay with cleaner cryptographic impersonation, enabling stealthy persistence, fast lateral movement, and the ability to bypass password theft defenses. Golden Tickets are forged Ticket Granting Tickets (TGTs) used for broad impersonation. Silver Tickets are forged service tickets that focus on access bypass.
This article provides a playbook for the red team, explaining ticket mechanisms, hacking prerequisites, trade-offs between the Golden and Silver approaches, best practices for Capture the Flags (CTFs) and simulations, and more. It will also focus on safe simulation using OPSEC-enabled workflows.
Emphasizing the importance of enumerating permissions, the article also provides valuable insights into the controls associated with tickets, often a decisive advantage in both CTF challenges and real-world assessments. Additionally, it highlights key tools involved in Active Directory penetration testing and the role of CPENT in empowering professionals through its hands-on, skill-building training.
What Is Kerberos?
Kerberos is a ticket-based protocol that relies on a trusted third party, known as the Key Distribution Center (KDC). In Active Directory, the Domain Controller (DC) hosts the KDC components, the Authentication Service (AS), and the Ticket Granting Service (TGS). A user needs to access the AS to gain a Ticket Granting Ticket (TGT), which is then presented to the TGS to get service tickets for specific Service Principal Names (SPNs). These tickets contain encrypted session keys and authenticators and are signed using keys derived from account passwords or domain-wide key material. The KRBTGT account, which is a built-in service account in Active Directory, stores the key used to sign TGTs, while service account keys sign service tickets. Because the tickets have set lifetimes, controlling these signing keys or service account hashes allows an attacker to create fake tickets that the domain will trust.
Golden vs Silver: Pen Testing Prerequisites and Outcomes
Forging Golden Tickets requires access to the domain signing key material associated with the KRBTGT account. Access to that material allows you to forge a TGT for almost any identity and request service tickets for any SPN. Thus, this provides the red team with domain-wide impersonation capabilities and prolonged persistence. However, Golden Ticket attacks are costly because obtaining KRBTGT-level material requires deep access, such as extracting the NTDS database or performing privileged credential dumps, both of which demand significant time and resources.
Silver Tickets require you to have the target service account hash for the SPN that you want to impersonate. This access lets you forge TGS tickets for specific services without querying the KDC. As a result, you get a targeted and stealthy service access. Silver Tickets are often preferable when you need to access a specific resource and want to minimize noise. This approach is commonly used in CTFs and in red-team objectives with a defined scope, as service account hashes are sometimes easier to obtain.
“The Silver Ticket approach is best for targeted and low-noise tasks, while the Golden Ticket approach is best for domain-wide persistence if you have deep access.”
Red-Teaming Guideline: An OPSEC-Aware Workflow
This high-level playbook outlines the steps to follow during an engagement without disclosing any sensitive details:
- Objective and Scope: Define proper objectives (persistence, file access, or privilege escalation), and create a list of approved hosts, accounts, duration, rollback plan, etc.
- Initial Access: Gain a foothold via phishing, a test account, or sandbox; Collect only the required credentials and log everything.
- Discovery and Mapping: Enumerate domain topology, privileged groups, SPNs, and object access control lists (ACLs); methodical mapping helps you identify the accounts with permissions that you need.
- Target Identification: Pick an account with the lowest privileges, whose ticket yields the desired objective. Often, a service account with access to a share or a vulnerable application account can be used.
- Reconnaissance: Identify the path where hashes or key material may exist. Examples include service configuration files, backups, or memory on privileged hosts. Be sure to avoid bulk exfiltration and validate presence with small reads.
- Simulation: To generate telemetry that defenders can validate, simulate ticket usage using established red-team frameworks in a controlled environment. Avoid publishing signatures or raw keys in reports.
- Action and Measurement: Use forged or simulated tickets to access services, enumerate data, or move laterally; capture DC logs, service logs, and endpoint traces to measure impact.
- Cleanup and Evidence Handover: Delete artifacts, remove temporary accounts, and provide logs and a timeline to the blue team.
This method reveals vulnerabilities while maintaining operational safety and security. It features a compact design and focuses on collecting valuable logs.
OPSEC-Aware Detection Awareness for Pen Testers
Understanding how the blue team detects your footprint allows you to improve your stealth and the value of your report. Observing these defender signals will enable you to design lower-noise attacks, and identify and report the gap in detection:
- DC Kerberos Events: The blue team looks for irregularities between ticket issuance and service consumption.
- Unusual Ticket Lifetimes: Tickets that exceed normal durations are marked as high-value anomalies.
- Service Access from Unexpected Hosts: Host-service baseline violations will flag lateral surprises.
- LSASS or Ticket Cache Reads: Endpoint tools that access ticket caches or memory are flagged.
Here, Silver Tickets can be used to reduce KDC chatter and limit host footprint. It is essential to capture your own telemetry so that alert failures can be clearly demonstrated.
Practical Trade-Offs and Red-Team Tips
Some of the best practices for deciding the correct approach, reducing noise, and reporting can be listed as follows:
- Golden vs. Silver Pick: Use Golden when the engagement justifies domain-level persistence, and you can manage rollback. Select Silver if you need stealthy, targeted service access.
- Minimize Noisy Actions: Use focused reads and brief memory checks rather than dumping many credentials.
- Account Focus: Understand each user’s permissions by mapping corresponding access to resources, revealing the shortest path to the objective.
- Artifact Hygiene: Always remember to clean up keys, forged tickets, or elevated artifacts and documents from the environment after testing.
- Reporting Discipline: Include clear telemetry, timestamps, and host identifiers so defenders can reconstruct the chain without needing raw keys.
Case Study: CPENT Challenge for Both Silver and Golden Tickets Simulation
Context and Goal
A CPENT challenge for Active Directory end-to-end ticket-based techniques was designed to perform both reconnaissance for targeted access and obtain domain-level persistence. The objective was to produce clear telemetry to indicate CTF success and for later analysis. All actions were performed in a controlled laboratory environment and documented for reporting purposes.
Actions Taken
The penetration testing began with thorough environment mapping, where users, SPNs, and service account permissions were enumerated to identify the shortest privilege path to the target. For targeted access, they located a service account hash on an application host and used a Silver Ticket simulation to request a service ticket for its SPN; this allowed access to a protected share and retrieval of a proof file. Later in the exercise, the penetration tester obtained a simulated domain signing material from an NTDS snapshot and generated a Golden Ticket. Using the forged TGT, they requested service tickets across multiple hosts to measure persistence and acceptance.
Outcome and Inference
The exercises produced DC and service logs that showed service access without matching TGT issuance for the Silver case and a measurable persistence window for the Golden case. It is essential to map the attack surface first, which helps understand each user’s permissions, revealing which accounts to target for the shortest and quietest ticket paths. Silver Tickets proved ideal for focused, low-footprint objectives, while Golden Tickets demonstrated domain-wide persistence when deep access was available. The captured telemetry was replayable and valuable for post-challenge analysis and reporting.
CTF Relevance Tips
- As ticket mechanics are central to many Active Directory CTF rooms, recognizing which account to target is often the decisive move.
- Map the attack surface first, as enumerating users and their permissions lets you know which account tickets will give you the access you need.
- Mapping the environment is a high-leverage step that converts reconnaissance into a clear exploitation path.
- Practice in labs, then apply the exact mapping in timed CTF challenges to shave off solution time.
Key Tools for Active Directory Red Teaming
- BloodHound/SharpHound: It is a graph-based mapping and collection suite that first uses SharpHound to collect Active Directory relationships and permissions. The obtained data is then loaded into BloodHound to find the shortest attack paths and prioritize targets.
- Rubeus: It is used in Kerberos operations and ticket handling environment for enumerating tickets, requesting renewals, and exercising ticket workflows to validate Silver and Golden Ticket scenarios in controlled labs.
- Impacket: It is a protocol and credential-focused toolkit with scripts for SMB, Kerberos, and LDAP interactions. It is helpful for authenticated command execution, lateral movement tests, and proving access paths safely.
- Mimikatz: It is a credential and ticket extraction tool that extracts password hashes, Kerberos tickets, and key material from memory to validate ticket forging paths. Use it only in lab or explicitly authorized contexts because it is noisy and widely flagged by detection tools.
Conclusion
Golden and Silver Tickets are elite tools for red teams; use Silver for narrow, stealthy goals and Golden for broad persistence when the engagement supports it. Favor low-noise actions; avoid large credential dumps, and instead, use focused reads and brief memory checks to prove access. Prioritize enumeration; knowing each user’s permissions tells you which ticket to aim for and often unlocks the whole box in CTFs and real assessments. Use practical tools such as BloodHound/SharpHound, Rubeus, Impacket, and Mimikatz in lab or explicitly authorized contexts to validate paths and capture replayable telemetry. Practice in sandboxed labs and pursue structured training, such as CPENT, to build safe and professional skills. CPENT provides hands-on labs and scoring discipline that help convert these concepts into repeatable, professional skills.
Tags
About the Author
Omar Tamer
Red Team & Penetration Testing Specialist
Omar Tamer is a red team and penetration testing specialist with a bachelor’s degree in business information systems. He conducts full-scope security assessments across web, network, Active Directory, and OT/IoT environments and holds multiple industry-recognized certifications, including CEH Master, CPENT, and LPT Master from EC-Council; eJPT from INE Security; and PCEP from the Python Institute. In addition to serving as an EC-Council exam item writer, he has developed offensive security tools, including Packet-Whiz (a network forensics analyzer) and OTSec (an OT/IoT offensive toolkit), to support research and training. Ranked among the top players in various CTF platforms, he is passionate about advancing security research and aspires to publish original zero-day CVEs accredited to him.
