Offline ticket cracking is the process of extracting encrypted Kerberos ticket material and testing password guesses outside the target environment. Because the guessing happens away from the live service, defenders may see little interactive activity before credentials are recovered.
Expanded Definition
Offline ticket cracking refers to extracting Kerberos ticket material and testing password guesses outside the live authentication path. In NHI security, the key distinction is that the attacker is no longer constrained by interactive rate limits, lockouts, or step-up checks once the ticket has been captured. Definitions vary across vendors on whether the phrase only applies to Kerberos TGT or also includes service tickets, but the operational meaning is consistent: the credential material is being attacked in an offline context, away from the target environment. That makes it especially relevant where service accounts, delegated identities, or poorly protected secrets can expose reusable ticket material. For background on how NHI exposure compounds attack surface, see the Ultimate Guide to NHIs and the identity assurance expectations in EU Cyber Resilience Act.
The most common misapplication is treating this as a generic password attack, which occurs when teams miss that the real issue is the theft of ticket material from a privileged or long-lived identity.
Examples and Use Cases
Implementing detection and hardening against offline ticket cracking rigorously often introduces tighter logging, shorter credential lifetimes, and more operational friction, requiring organisations to weigh resilience against admin convenience.
- A service account on a Windows domain is granted broad access, ticket material is captured during host compromise, and guesses are tested offline until the password is recovered.
- An attacker abuses a misconfigured delegation path, extracts a ticket, and avoids live alerts because the cracking happens entirely outside the domain controllers.
- A development environment stores reusable credentials too broadly, and the resulting ticket exposure becomes a stepping stone into production identity trust relationships.
- A red team validates whether monitoring detects ticket extraction patterns before the offline guessing phase begins, using guidance from the Ultimate Guide to NHIs alongside identity control expectations in the EU Cyber Resilience Act.
- A SOC investigates repeated privilege use by an NHI, then discovers the initial compromise was not a failed login but a silently cracked ticket recovered from a compromised endpoint.
Why It Matters in NHI Security
Offline ticket cracking matters because it bypasses many of the controls defenders rely on most, including throttling, MFA prompts, and live-session anomaly detection. In practical terms, the attack exposes how weak passwords, over-privileged service accounts, and stale secrets create a silent recovery path for adversaries. NHI programs are especially exposed when ticket-bearing identities are not inventoried, rotated, or governed as rigorously as human accounts. NHI Management Group research shows that Ultimate Guide to NHIs reports that 71% of NHIs are not rotated within recommended time frames, which increases the window in which ticket theft and offline guessing can succeed. That risk also intersects with broader product-security expectations reflected in the EU Cyber Resilience Act, particularly where embedded identities and software components carry persistent authentication material. Organisationally, the issue often surfaces only after lateral movement or privilege escalation has already occurred, at which point offline ticket cracking becomes operationally unavoidable to explain the breach path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers weak secret handling and credential exposure that enable offline cracking. |
| NIST CSF 2.0 | PR.AC-1 | Identity access controls must prevent compromised tickets from becoming broad access. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero Trust limits the blast radius when offline-cracked credentials are replayed. |
Reduce ticket exposure, rotate secrets, and harden service-account handling to limit offline attack success.
