Which Kerberos credential type enables forging TGTs for any account within a domain?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam. Study with comprehensive questions and explanations. Equip yourself with the skills needed for success!

Multiple Choice

Which Kerberos credential type enables forging TGTs for any account within a domain?

Explanation:
The concept tested is how Golden Tickets abuse Kerberos to impersonate any user in a domain. A Golden Ticket is created by compromising the KRBTGT account in Active Directory, whose password hash is used to sign Kerberos Ticket Granting Tickets (TGTs). Once you have that hash, you can forge a TGT for any account—essentially becoming that user and gaining access to resources across the entire domain, including privileged accounts. This makes Golden Tickets the method that enables forging TGTs for any account. In contrast, Silver Tickets involve forging service tickets (TGS) for a specific service and don’t grant the ability to impersonate arbitrary users at the TGT level. The other two items aren’t credential types: Rubeus is a Kerberos-related tool, and Responder is a network-poisoning tool used to capture credentials.

The concept tested is how Golden Tickets abuse Kerberos to impersonate any user in a domain. A Golden Ticket is created by compromising the KRBTGT account in Active Directory, whose password hash is used to sign Kerberos Ticket Granting Tickets (TGTs). Once you have that hash, you can forge a TGT for any account—essentially becoming that user and gaining access to resources across the entire domain, including privileged accounts. This makes Golden Tickets the method that enables forging TGTs for any account.

In contrast, Silver Tickets involve forging service tickets (TGS) for a specific service and don’t grant the ability to impersonate arbitrary users at the TGT level. The other two items aren’t credential types: Rubeus is a Kerberos-related tool, and Responder is a network-poisoning tool used to capture credentials.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy