Kerberos Golden Ticket Attack

Kerberos is an authentication protocol that creates tickets encrypted with account keys to verify identity and permissions. A ticket contains user, computer, or service account credentials that are encrypted with a cipher algorithm. Every domain controller (DC) in an Active Directory (AD) domain has a Kerberos Key Distribution Center (KDC) service for creating ticket-granting tickets (TGTs). A TGT is a cryptographic proof of identity. A user must have a TGT encrypted with a KRBTGT account key to access a service such as file shares, printers, and databases. Each AD domain has a KRBTGT account. If an attacker manages to steal the KRBTGT account key from a DC (1), the attacker can bypass the KDC service to create a forged TGT, which is known as a golden ticket. A golden ticket is created by running a command in a Windows exploit tool, such as Mimikatz or Impacket (2). The golden ticket is encrypted with the stolen KRBTGT key and might include fake domain administrator credentials. When the attacker wants to access a service, they send a Kerberos TGS_REQ message with the golden ticket to the Kerberos service ticket on the DC (3). The TGS trusts the golden ticket and gives the attacker a service ticket, enabling the attacker to access the service as a fake domain administrator.