{"id":83940,"date":"2026-02-05T02:14:00","date_gmt":"2026-02-05T02:14:00","guid":{"rendered":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/?p=83940"},"modified":"2026-03-11T12:02:49","modified_gmt":"2026-03-11T12:02:49","slug":"kerberos-offensive-playbook-enumeration-ticket-abuse","status":"publish","type":"post","link":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/penetration-testing\/kerberos-offensive-playbook-enumeration-ticket-abuse\/","title":{"rendered":"Kerberos Offensive Playbook: Enumeration, Targeting, and Ticket Abuse"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Kerberos is at the core of access management in most Windows domains, and tickets serve as the tokens that enable clients to access specific services. Kerberos ticket forging is a high-value capability for red teams, enabling them to understand authentication mechanisms in Active Directory environments. For ethical hackers, forging these tickets (Golden Ticket and Silver Ticket) replaces noisy credential replay with cleaner cryptographic impersonation, enabling stealthy persistence, fast lateral movement, and the ability to bypass password theft defenses. Golden Tickets are forged Ticket Granting Tickets (TGTs) used for broad impersonation. Silver Tickets are forged service tickets that focus on access bypass.<\/p>

This article provides a playbook for the red team, explaining ticket mechanisms, hacking prerequisites, trade-offs between the Golden and Silver approaches, best practices for Capture the Flags (CTFs) and simulations, and more. It will also focus on safe simulation using OPSEC-enabled workflows.<\/p>

Emphasizing the importance of enumerating permissions, the article also provides valuable insights into the controls associated with tickets, often a decisive advantage in both CTF challenges<\/a> and real-world assessments. Additionally, it highlights key tools involved in Active Directory penetration testing and the role of CPENT in empowering professionals through its hands-on, skill-building training.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What Is Kerberos?<\/h2>

Kerberos is a ticket-based protocol that relies on a trusted third party, known as the Key Distribution Center (KDC). In Active Directory, the Domain Controller (DC) hosts the KDC components, the Authentication Service (AS), and the Ticket Granting Service (TGS). A user needs to access the AS to gain a Ticket Granting Ticket (TGT), which is then presented to the TGS to get service tickets for specific Service Principal Names (SPNs). These tickets contain encrypted session keys and authenticators and are signed using keys derived from account passwords or domain-wide key material. The KRBTGT account, which is a built-in service account in Active Directory, stores the key used to sign TGTs, while service account keys sign service tickets. Because the tickets have set lifetimes, controlling these signing keys or service account hashes allows an attacker to create fake tickets that the domain will trust.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Golden vs Silver: Pen Testing Prerequisites and Outcomes<\/h2> \n\n

Forging Golden Tickets requires access to the domain signing key material associated with the KRBTGT account. Access to that material allows you to forge a TGT for almost any identity and request service tickets for any SPN. Thus, this provides the red team with domain-wide impersonation capabilities and prolonged persistence. However, Golden Ticket attacks are costly because obtaining KRBTGT-level material requires deep access, such as extracting the NTDS database or performing privileged credential dumps, both of which demand significant time and resources.<\/p> \n\n

Silver Tickets require you to have the target service account hash for the SPN that you want to impersonate. This access lets you forge TGS tickets for specific services without querying the KDC. As a result, you get a targeted and stealthy service access. Silver Tickets are often preferable when you need to access a specific resource and want to minimize noise. This approach is commonly used in CTFs and in red-team objectives with a defined scope, as service account hashes are sometimes easier to obtain.<\/p> \n\n

\u201cThe Silver Ticket approach is best for targeted and low-noise tasks, while the Golden Ticket approach is best for domain-wide persistence if you have deep access.\u201d<\/i><\/p> \t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Red-Teaming Guideline: An OPSEC-Aware Workflow<\/h2>

This high-level playbook outlines the steps to follow during an engagement without disclosing any sensitive details:<\/p>

  1. Objective and Scope:<\/strong> Define proper objectives (persistence, file access, or privilege escalation), and create a list of approved hosts, accounts, duration, rollback plan, etc.<\/li>
  2. Initial Access:<\/strong> Gain a foothold via phishing, a test account, or sandbox; Collect only the required credentials and log everything.<\/li>
  3. Discovery and Mapping:<\/strong> Enumerate domain topology, privileged groups, SPNs, and object access control lists (ACLs); methodical mapping helps you identify the accounts with permissions that you need.<\/li>
  4. Target Identification:<\/strong> Pick an account with the lowest privileges, whose ticket yields the desired objective. Often, a service account with access to a share or a vulnerable application account can be used.<\/li>
  5. Reconnaissance:<\/strong> Identify the path where hashes or key material may exist. Examples include service configuration files, backups, or memory on privileged hosts. Be sure to avoid bulk exfiltration and validate presence with small reads.<\/li>
  6. Simulation:<\/strong> To generate telemetry that defenders can validate, simulate ticket usage using established red-team frameworks in a controlled environment. Avoid publishing signatures or raw keys in reports.<\/li>
  7. Action and Measurement:<\/strong> Use forged or simulated tickets to access services, enumerate data, or move laterally; capture DC logs, service logs, and endpoint traces to measure impact.<\/li>
  8. Cleanup and Evidence Handover:<\/strong> Delete artifacts, remove temporary accounts, and provide logs and a timeline to the blue team.<\/li><\/ol>

    This method reveals vulnerabilities while maintaining operational safety and security. It features a compact design and focuses on collecting valuable logs.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    OPSEC-Aware Detection Awareness for Pen Testers<\/h2> \n\n

    Understanding how the blue team detects your footprint allows you to improve your stealth and the value of your report. Observing these defender signals will enable you to design lower-noise attacks, and identify and report the gap in detection:<\/p> \n\n