On the last step of Kerberos, the client sends the target server a ticket and an authenticator. One of the authenticator's parts is a timestamp. The timestamp is said to prevent replay attacks, as the server can verify a message is fresh, and that it has only been sent once (using a cache). This is all clear. What I don't get is the purpose of a replay attack in the first place. Sure, without the timestamp, the attacker can re-transmit legitimate authentication messages. But without having the session key, there's no way to further communicate with the server anyway, is there?
So, assuming replay attacks are possible, and an attacker can fool the server to think it is some legit user. How can the attacker operate within the created session, given it never got a hold of the session key?