Why does the golden ticket work without any user password hash?

Question

In step five in Kerberos Authentication, The user sends the TGS ticket and data that encrypted with new session key received from the KDC in step 4 to the service he wants to connect to. But in Golden Ticket Attack, The user create own fake tgt with krbtgt account password ntlm hash and sends it to KDC directly. then the attack succeeds. In step 5, the user needs to know the session key received from KDC in step 4 to able to send TGS. But the session key is encrypted with user account password. Why the golden ticket attack is succeed without user account hash with only krbtgt account hash?

I'm waiting for a logical reason why the golden ticket works

Answer 1

The session key that's encrypted with the user's key is not actually part of the ticket; it's delivered as a separate field in AS-REP (and stored separately in the ticket cache as well).

What the ticket contains is a second copy of the session key that's encrypted using the service's key instead of the user's (that's how it gets delivered to the service in the first place). See diagram.

(Note that a KDC is stateless and does not remember the "session" between AS-REP and TGS-REQ. The ticket-granting service behaves like any other kerberized service; it doesn't learn the session key directly from the KDC, but has to receive it encrypted within the ticket.)

So if you know the key for 'krbtgt', you can use it to decrypt the entire 'krbtgt' ticket including the session key that the KDC would receive – you don't need the copy that's meant for the user at all.

Actually, if you're crafting a fake krbtgt ticket, then you're the one who has to generate and encrypt this session key in the first place, so you already know the unencrypted version anyway.