Let’s break down TGT hashes in the context of Kerberos authentication and security testing.

🎟 What Is a TGT (Ticket Granting Ticket)?

In Kerberos, a TGT is a special ticket issued by the Authentication Service (AS) after a user successfully authenticates. It allows the user to request access to other services without re-entering credentials.

• The TGT is encrypted and signed using the KRBTGT account’s secret key.
• Only the Domain Controller (DC) can decrypt and validate it.
• It contains user identity, timestamp, and session key.

🔐 What Is a TGT Hash?

A TGT hash refers to the cryptographic key used to encrypt or sign the TGT. Depending on the encryption type (RC4, AES-128, AES-256), this hash can be:

• The NTLM hash of the user (for RC4 encryption)
• A Kerberos AES key derived from the password

These hashes can be used in attacks like:

🧨 Overpass-the-Hash

• Uses the NTLM hash to request a TGT without knowing the actual password.
• The attacker can then use the TGT to access services.

🧨 Pass-the-Key

• Similar to Overpass-the-Hash but uses AES keys instead of NTLM hashes.

🧪 How Attackers Use TGT Hashes

Once an attacker obtains a valid hash (via credential dumping or other means), they can:

1. Use tools like Impacket’s getTGT.py to request a TGT:

   getTGT.py -hashes 'LMhash:NThash' DOMAIN/USER@TARGET
   

2. Save the TGT as a .ccache file and use it with other tools to access services.
3. Crack TGTs offline using tools like John the Ripper:

   kirbi2john tgt.kirbi > hash.txt
   john --wordlist=wordlist.txt hash.txt
   

More details are available in this technical guide on Kerberos TGT attacks.

Protecting against TGT hash attacks—especially those involving Golden Ticket or Pass-the-Hash techniques—requires a layered defense strategy. Here are the most effective ways to secure your environment:

🛡️ 1. Protect the KRBTGT Account

The KRBTGT account is the cornerstone of Kerberos authentication. If its hash is compromised, attackers can forge TGTs.

• Rotate the KRBTGT password regularly, ideally twice to invalidate old tickets.
• Disable logon for KRBTGT to prevent misuse.
• Monitor for unusual ticket activity, such as long-lived or forged TGTs.

More on this from Semperis’ guide to defending against Golden Ticket attacks.

🔐 2. Enforce Strong Credential Hygiene

• Use long, complex passwords and enforce regular changes.
• Implement multi-factor authentication (MFA) wherever possible.
• Avoid storing plaintext credentials or hashes on endpoints.

🧠 3. Minimize Privilege Sprawl

• Apply least privilege access principles.
• Use Privileged Access Management (PAM) tools to control and monitor admin accounts.
• Audit group memberships, especially Domain Admins and Enterprise Admins.

🕵️ 4. Monitor and Detect

• Deploy SIEM solutions to detect anomalies in Kerberos ticket usage.
• Watch for signs of Mimikatz or other credential dumping tools.
• Set alerts for unusual TGT lifetimes, service ticket requests, or logon attempts from unexpected locations.

🧰 5. Use Defensive Tools

• Tools like Microsoft Defender for Identity, PingCastle, and BloodHound can help identify vulnerabilities in Active Directory.
• Consider endpoint detection and response (EDR) solutions to catch lateral movement and credential theft.

🧼 6. Regularly Clean Up and Patch

• Remove unused accounts and stale credentials.
• Patch domain controllers and keep Kerberos implementations up to date.

For a deeper dive into protecting against hash-based attacks, check out this comprehensive strategy guide.