Pass-the-Hash vs Pass-the-Ticket: Complete Guide

Active Directory credential attacks come in two flavors that confuse people constantly: Pass-the-Hash (PtH) and Pass-the-Ticket (PtT). Both let you authenticate as another user without knowing their plaintext password. But they work on completely different protocols, hit different defenses, and fail in different ways. This guide covers how each attack actually works under the hood, when to reach for one vs the other, how defenders detect them, and how red teamers stay ahead of detection. ...

July 10, 2026 · 9 min · Red Team Guide

Kerberoasting Attack: How It Works and How to Exploit It

Kerberoasting is one of the most reliable privilege escalation techniques in Active Directory environments. It’s quiet, requires no special privileges to execute, and often yields domain admin within hours — because organizations routinely set weak passwords on service accounts and never rotate them. This guide covers everything: how Kerberos works, why the attack is possible, what you need to execute it, and how defenders detect it. What Is Kerberoasting? Kerberoasting targets service accounts in Active Directory that have a Service Principal Name (SPN) set. Any authenticated domain user can request a Kerberos Ticket Granting Service (TGS) ticket for any SPN — and those tickets are encrypted with the service account’s NTLM hash. ...

July 3, 2026 · 8 min · Red Team Guide