Kerberos Attacks Explained Like a Human Conversation
Or Why Everyone Keeps Passing Tickets and Trusting Them Way Too Much
Kerberos sounds intimidating because it was named after a three-headed dog, which already feels like a warning. In practice, Kerberos is just a very polite, very trusting conversation system that assumes everyone is behaving themselves. Attackers love this optimism.
Imagine Kerberos as an office building with a front desk.
You walk in and say, “Hi, I’m Alex.” The front desk doesn’t immediately let you roam the building. Instead, it says, “Prove it.” You show your badge. The front desk checks its records and hands you a stamped wristband that says, “Alex has been verified.” This is your ticket-granting ticket.
So far, so good.
Now you walk over to a locked office and say, “I’d like to enter this room.” The door replies, “Do you have a wristband?” You show it. The door squints, trusts the stamp, and lets you in. No password required. No questions asked. You were already trusted by the front desk, so everyone else trusts the front desk too.
Kerberos attacks begin when someone realizes that nobody is checking the wristband very closely.
Take Kerberoasting. This is the moment someone notices that certain offices accept tickets based on service accounts that use passwords instead of smart badges. The attacker doesn’t break the door down. They politely ask the front desk for a ticket to that office, receive an encrypted stamp, and walk away to stare at it offline until the password gives up out of boredom.
The system worked exactly as designed. The problem was trusting a weak secret for something powerful.
Then there’s Pass-the-Ticket, which is exactly what it sounds like and exactly as awkward. Someone finds a valid wristband lying around and simply puts it on. Kerberos does not ask how you got it. It only checks whether it looks real. If the stamp is valid, the building shrugs and lets you in.
Kerberos assumes that if you have the ticket, you are the person. This is very efficient and very dangerous when tickets are copied instead of protected.
Golden Tickets take this optimism to its logical extreme. This is the moment someone steals the stamp machine itself. With control over the ticket authority, the attacker can mint wristbands that say anything they want. “Alex is a domain admin.” “Alex is trusted forever.” “Alex doesn’t expire.” Kerberos believes these tickets completely because they are perfectly formatted lies.
Silver Tickets are slightly less dramatic but still uncomfortable. Instead of controlling the entire building, the attacker controls one office’s door. They forge tickets that only that door checks, bypassing the front desk entirely. The system assumes the front desk already did its job, even though it never got involved.
What makes Kerberos attacks so effective is that nothing looks broken. Logs show valid authentication. Services behave normally. No alarms go off because no rules were violated. Kerberos did exactly what it was told to do. It trusted the stamps.
The uncomfortable truth is that Kerberos is not weak. It’s efficient. The weakness comes from how humans configure it. Long-lived tickets. Overprivileged service accounts. Passwords that never change. Delegation settings that seemed convenient at the time. Each one adds another layer of trust that attackers are happy to inherit.
Defenders often ask how to “fix” Kerberos. The answer is disappointing and practical. Reduce trust. Limit ticket lifetimes. Protect service accounts like they matter, because they do. Monitor for behavior that looks valid but feels wrong. Clean up delegation. Rotate secrets. Assume that someone will eventually find a wristband on the floor.
Kerberos works best in an environment where trust is earned carefully and revoked quickly. It works worst in environments that value convenience over clarity.
Explained as a conversation, Kerberos is very polite. Too polite.
It assumes that once you’ve been introduced properly, you’ll behave forever.
Attackers simply say thank you, take the ticket, and keep the conversation going long after it should have ended.