Skip to main content
The Kerb tool provides Kerberos authentication operations: requesting TGTs and service tickets, changing and setting passwords, renewing tickets, generating string-to-key protocol keys, and inspecting or converting ticket files.

Subcommands

CommandDescription
asreqRequest a TGT from the KDC
getasinfoGet server time and encryption types for a user account
tgsreqRequest a service ticket from the KDC
renewRenew a ticket
selectSelect and display tickets from a file
changepwChange an account password
setpwSet the password of another account
s2kGenerate a protocol key from a string such as a password
For help on any subcommand, run Kerb <subcommand> -h.
If the KRB5CCNAME environment variable is set, commands that accept -TicketCache will use it automatically when no explicit ticket source is provided.

asreq

Sends an AS-REQ to the KDC to request a ticket-granting ticket (TGT). You must supply credentials — a password, NTLM hash, AES key, or DES key — used for pre-authentication and to decrypt the response. You may also use PKINIT with a certificate and key file. The encryption type of the response depends on which credential you provide. Use -EncTypes to restrict which encryption types the KDC can use. If you don’t specify any ticket options, Kerb asreq uses defaults: a ticket expiring 10 hours from now with the Canonicalize, RenewableOk, Renewable, and Forwardable options. Specifying any option disables these defaults. 
Kerb asreq [options] <UserName> <Kdc>
UserName
UserPrincipalName
required
Name of the user (no domain). Use the format user@REALM to include the realm.
Kdc
EndPoint
required
Host name or address of the KDC.
-EncTypes
EType[]
Encryption types to request in the response. Possible values: DesCbcMd5, DesCbcCrc, Rc4Hmac, Rc4HmacExp, Aes128CtsHmacSha1_96, Aes256CtsHmacSha1_96.
-Password
string
Password for pre-authentication.
-NtlmHash (-N)
HexString
NTLM hash (hex-encoded, no colons). Specify only the NTLM portion.
-AesKey
HexString
AES-128 or AES-256 key (hex-encoded).
-DesKey
HexString
DES key (hex-encoded).
-Realm
string
Name of the realm (domain).
-Workstation (-W)
string
Name of the client workstation.
-Forwardable (-F)
boolean
Request a forwardable ticket.
-Renewable
boolean
Request a renewable ticket.
-RenewTill
DateTime
Request a ticket renewable until this time (implies -Renewable).
-EndTime
DateTime
Requested ticket expiry time.
-Postdate
DateTime
Request a post-dated ticket with this start date.
-RenewableOk
boolean
Accept a renewable ticket if the requested end time exceeds the KDC limit.
-UserCert
string
Path to the user certificate file (for PKINIT).
-UserKey
string
Path to the user key file (for PKINIT).
-UserKeyPassword
string
Password to decrypt the user key file (for PKINIT).
-TicketCache
string
Name of the ticket cache file to write the TGT to.
-Target
SecurityPrincipalName[]
SPNs to request tickets for.
-OutputFileName
string
File to write the ticket to.
-Overwrite
boolean
Overwrite the output file if it exists.
-Append
boolean
Append to the output file if it exists.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-TicketComment
string
Comment to associate with the ticket.
-Verbose (-V)
boolean
Print verbose messages.
-HostAddress (-ha)
string[]
Network address(es) of the server.
-UseTcp4Only (-4)
boolean
Use TCP over IPv4 only.
-UseTcp6Only (-6)
boolean
Use TCP over IPv6 only.
-Socks5 (-S)
host:port
SOCKS5 proxy endpoint.

Examples

# Request a TGT with a password
Kerb asreq -Realm LUMON -Password Br3@kr00m! -OutputFileName milchick-tgt.kirbi -Overwrite -v milchick 10.66.0.11

# Request a TGT using only RC4-HMAC
Kerb asreq -Realm LUMON -Password Br3@kr00m! -EncTypes Rc4Hmac -OutputFileName milchick-tgt.kirbi -Overwrite -v milchick 10.66.0.11

# Request a TGT with an AES-256 key
Kerb asreq -Realm LUMON -AesKey 76332deee4296dcb20200888630755268e605c8576e50ff38db2d8b92351f4e4 -OutputFileName milchick-tgt.kirbi -Overwrite -v milchick 10.66.0.11

# Request a TGT with an NTLM hash
Kerb asreq -NtlmHash B406A01772D0AD225D7B1C67DD81496F -Realm LUMON -OutputFileName milchick-tgt.kirbi -Overwrite -v milchick 10.66.0.11

getasinfo

Sends an AS-REQ without credentials and inspects the KDC error response. Typically the KDC responds with KDC_ERR_PREAUTH_REQUIRED and includes its current time and the valid encryption types and salts for the account. Use this command to:
  • Verify that a user name exists in a domain
  • Determine which encryption types an account supports
  • Retrieve the correct salt before generating an AES key with Kerb s2k
  • Check whether an account requires pre-authentication (required for AS-REP roasting)
If the account does not require pre-authentication, the KDC returns a TGT directly. In that case, use Kerb asreq to capture and analyze the ticket. 
Kerb getasinfo [options] <UserName> <Kdc>
UserName
UserPrincipalName
required
Name of the user. Use user@REALM to specify the realm.
Kdc
string
required
Host name or address of the KDC.
-Realm (-R)
string
Name of the realm (domain).
-OutputFields
string[]
Fields to display. Possible values: EType, SaltText, SaltHex.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-HostAddress (-ha)
string[]
Network address(es) of the server.
-Socks5 (-S)
host:port
SOCKS5 proxy endpoint.

Examples

# Get encryption types and salt for a user
Kerb getasinfo milchick@LUMON 10.66.0.11

tgsreq

Sends a TGS-REQ to the KDC to request a service ticket. You may specify the target as a service principal name (<class>/<instance>) or as the account name itself (the $ is optional for machine accounts — LUMON-FS1, LUMON-FS1$, and host/LUMON-FS1 all work). Service tickets retrieved with RC4-HMAC encryption produce Kerberoastable hashes. Use -OutputFields TgsrepHashcatMethod, TicketHash to extract the hash for offline cracking. 
Kerb tgsreq [options] <Kdc> <Target>
Kdc
EndPoint
required
Host name or address of the KDC.
Target
SecurityPrincipalName[]
required
SPN(s) to request tickets for. Accepts multiple values.
-Tgt
string
Path to a TGT file (.kirbi or ccache).
-TicketCache
string
Ticket cache file to use as the TGT source.
-EncTypes
EType[]
Encryption types to request. Possible values: Rc4Hmac, Aes128CtsHmacSha1_96, Aes256CtsHmacSha1_96, and others.
-S4UserName
UserPrincipalName
User to impersonate with S4U2self.
-S4ProxyService
SecurityPrincipalName
Service account to proxy through with S4U2proxy.
-U2uTicket
string
Path to a U2U ticket file.
-AsrepKey
HexString
Encryption key from the AS-REP, used to decrypt the NTLM hash from authorization data.
-ServicePassword
string
Password for the service account (for decrypting authorization data).
-ServiceSalt
string
Salt for the service account (for decrypting authorization data).
-Forwardable
boolean
Request a forwardable ticket.
-Forwarded
boolean
Request a forwarded ticket.
-Renewable
boolean
Request a renewable ticket.
-EndTime
DateTime
Requested ticket expiry time.
-Realm
string
Realm of the KDC.
-OutputFileName
string
File to write the ticket to.
-Overwrite
boolean
Overwrite the output file if it exists.
-Append
boolean
Append to the output file if it exists.
-OutputFields
string[]
Fields to display. Include TgsrepHashcatMethod and TicketHash to extract Kerberoastable hashes.
-TicketComment
string
Comment to associate with the ticket.
-Socks5
host:port
SOCKS5 proxy endpoint.

Examples

# Request a CIFS ticket for a file server
Kerb tgsreq -Tgt milchick-tgt.kirbi -OutputFile milchick-LUMON-FS1.kirbi 10.66.0.11 cifs/LUMON-FS1

# Request tickets for both CIFS and HOST
Kerb tgsreq -Tgt milchick-tgt.kirbi -OutputFile milchick-LUMON-FS1.kirbi 10.66.0.11 cifs/LUMON-FS1 HOST/LUMON-FS1

# Kerberoasting: request RC4-HMAC ticket to get a crackable hash
Kerb tgsreq -Tgt milchick-tgt.kirbi -EncTypes Rc4Hmac 10.66.0.11 svc_backup -OutputFields TgsrepHashcatMethod,TicketHash

# Request a U2U ticket and extract the NTLM hash
Kerb tgsreq -Tgt allentown-tgt.kirbi -U2u allentown-tgt.kirbi -AsrepKey 82d4ab5873cbfda126e00c28edb5bd97b6451aa06a291d85173e6fc4ed4aacee -OutputFileName allentown-u2u.kirbi -Overwrite -v 10.66.0.11 host/allentown

renew

Sends a renewal request to the TGS for the specified ticket. The ticket must have been issued as renewable. You may supply the source ticket via -Ticket (a file) or -TicketCache. When using -TicketCache, you must specify -TargetSpn to identify which ticket to renew. When using -Ticket, -TargetSpn is optional and filters which tickets to renew. 
Kerb renew [options] <Kdc> [<TargetSpn>]
Kdc
EndPoint
required
Host name or address of the KDC.
TargetSpn
SecurityPrincipalName[]
SPNs to renew tickets for. Optional when using -Ticket; required when using -TicketCache.
-Ticket
string
Path to a ticket file (.kirbi or ccache).
-TicketCache
string
Ticket cache file.
-EndTime (-E)
DateTime
New expiry time for the renewed ticket.
-Forwardable (-F)
boolean
Request a forwardable ticket.
-Renewable
boolean
Request a renewable ticket.
-RenewTill
DateTime
Request a ticket renewable until this time.
-OutputFileName
string
File to write the renewed ticket to.
-Overwrite
boolean
Overwrite the output file if it exists.
-Append (-A)
boolean
Append to the output file if it exists.
-Socks5 (-S)
host:port
SOCKS5 proxy endpoint.

Examples

# Renew all tickets in a file
Kerb renew -Ticket milchick-lumon-fs1.kirbi -OutputFileName milchick-lumon-fs1.kirbi -Overwrite 10.66.0.11

# Renew specific tickets from a cache
Kerb renew -TicketCache milchick.ccache 10.66.0.11 -TargetSpn host/lumon-fs1 cifs/lumon-fs1

select

Reads tickets from one or more .kirbi or .ccache files, optionally filters them, and optionally writes the results to a new file. Use this command to inspect, convert, combine, or filter ticket files. If the KRB5CCNAME environment variable is set and you don’t specify -From, Kerb select reads from the ticket cache it points to. Specifying -From explicitly bypasses KRB5CCNAME. 
Kerb select [options] [<From>]
From
string[]
File names or glob patterns to read tickets from. Accepts multiple values and wildcards.
-TicketCache
string
Ticket cache file. Ignored if -From is specified.
-Into
string
Target file to write selected tickets to.
-Overwrite
boolean
Overwrite the target file if it exists.
-PrintAuthData (-P)
boolean
Print ticket authorization data (if decrypted).
-OutputFields
string[]
Fields to display. Available: SourceFileName, SeqNbr, Comment, ClientName, ClientRealm, TicketRealm, TargetSpn, ServiceClass, ServiceInstance, ServiceRealm, KdcOptions, EndTime, StartTime, RenewTill, AsrepKeyText, TicketKeyText, SessionEType, SessionKeyText, TicketEType, TgsrepHashcatMethod, TicketHash, IsCurrent, SecurityGroups, NtlmHashText.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-Current
boolean
Select only currently-valid tickets.
-MatchingSpn
string[]
Regex patterns to match ticket SPNs.
-MatchingClientName
string[]
Regex patterns to match the client name.
-MatchingTicketEType
EType[]
Filter for ticket encryption type.
-MatchingSessionEType
EType[]
Filter for session key encryption type.
-SeqNbr
NumberOrRange[]
Sequence number or range (e.g. 1, 3-5, 7-*).
-InvertMatch
boolean
Invert the filter — select tickets that don’t match.
-TicketKey
HexString[]
Key to decrypt the ticket.
-ServicePassword
string[]
Password for the service account.
-ServiceSalt
string[]
Salt for the service account.

Examples

# Print all tickets matching a glob pattern
Kerb select -From milchick*.kirbi

# Combine multiple ticket files into one
Kerb select -From milchick*.kirbi -Into all-milchick.kirbi

# Show only currently valid tickets
Kerb select -From milchick*.kirbi -Current

# Show only TGTs
Kerb select -From milchick*.kirbi -MatchingSpn 'krbtgt/.*'

# Show only CIFS tickets
Kerb select -From milchick*.kirbi -MatchingSpn 'cifs/.*'

# Show tickets targeting a specific host
Kerb select -From milchick*.kirbi -MatchingSpn '.*/LUMON-FS1'

# Show tickets by sequence number
Kerb select -From milchick*.kirbi -SeqNbr 1,3-5,7-*

changepw

Changes the password of the authenticating user using the Kerberos Change Password protocol. This command can only change the password of the account being used to authenticate — not another account’s password. To set another account’s password, use setpw. This protocol requires an initial ticket from an AS-REQ/AS-REP exchange, so credentials are required and a pre-existing ticket cannot be passed as input. 
Kerb changepw [options] <UserName> <Kdc> <NewPassword>
UserName
UserPrincipalName
required
Name of the user (use user@REALM format).
Kdc
EndPoint
required
Host name or address of the KDC.
NewPassword
string
required
New password to set.
-Password (-P)
string
Current password.
-NtlmHash
HexString
NTLM hash (hex-encoded, no colons).
-AesKey (-A)
HexString
AES-128 or AES-256 key.
-Realm (-R)
string
Name of the realm (domain).
-Workstation (-W)
string
Client workstation name.
-Socks5 (-S)
host:port
SOCKS5 proxy endpoint.

Examples

# Change your own password
Kerb changepw milchick@LUMON 10.66.0.11 -Password EradicateFolly! Br3@kr00m!

setpw

Sets the password of a user account using the Windows 2000 Kerberos Change Password protocol (RFC 3244). Unlike changepw, this command can set the password of a different account and does not require an initial ticket. 
Kerb setpw [options] <TargetAccount> <NewPassword>
TargetAccount
UserPrincipalName
required
Account whose password you want to set (e.g. [email protected]).
NewPassword
string
required
New password to set.
-UserName (-u)
UserPrincipalName
User name to authenticate with.
-Password (-p)
string
Password to authenticate with.
-NtlmHash
hexadecimal hash
NTLM hash for NTLM authentication.
-Kdc (-K)
host:port
KDC endpoint.
-Tgt
string
Path to a TGT file (.kirbi or ccache).
-TicketCache
string
Ticket cache file.
-AesKey
HexString
AES key (128 or 256).
-Socks5
host:port
SOCKS5 proxy endpoint.
-HostAddress (-ha)
string[]
Network address(es) of the server.

Examples

# Set your own password using setpw
Kerb setpw -UserName milchick@LUMON -Kdc 10.66.0.11 -Password Br3@kr00m! [email protected] EradicateFolly!

# Set another user's password
Kerb setpw -UserName milchick@LUMON -Kdc 10.66.0.11 -Password Br3@kr00m! [email protected] SafelySituated

s2k

Generates Kerberos protocol keys from a string (such as a password) using the string-to-key function defined for each encryption type. For Windows domains, the salt for a user account is the FQDN of the domain in uppercase followed by the account name, computed at the time of the last password change. If the account has been renamed, the salt retains the old name until the password changes again. Use Kerb getasinfo to retrieve the correct salt for an account.
Using the wrong salt has the same effect as using the wrong password. In an Active Directory environment, this can trigger account lockout.
Kerb s2k [options] <Password> [<Salt>] [<EncType>]
Password
string
required
The string to derive keys from (e.g. a password).
Salt (-S)
string
Salt as a string. For Windows users, typically the domain FQDN concatenated with the account name.
EncType (-E)
EType[]
Encryption types to generate keys for. Possible values: Rc4Hmac, Aes128CtsHmacSha1_96, Aes256CtsHmacSha1_96, and others. Defaults to all supported types.
-OutputFields
string[]
Fields to display. Possible values: EType, KeyText.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.

Examples

# Generate all keys for a user in the LUMON.IND domain
Kerb s2k LUMON.INDmilchick Br3@kr00m!

# Generate only AES keys
Kerb s2k LUMON.INDmilchick Br3@kr00m! -EncTypes Aes128CtsHmacSha1_96,Aes256CtsHmacSha1_96

# Generate keys for a computer account
Kerb s2k LUMON.INDhostallentown.lumon.ind password
The domain name in the salt must be the FQDN (e.g. LUMON.IND), not the shorter NetBIOS name.
  • Lsa — look up account names and SIDs, manage privileges
  • Sam — enumerate users from the SAM database

Build docs developers (and LLMs) love

Get started for freeTalk to us