Skip to main content
Every Titanis command that authenticates over the network accepts a uniform set of authentication parameters. Titanis builds security contexts for both NTLM and Kerberos based on what you provide. If both are available it wraps them in an SPNEGO context; if only one is available it uses that directly (unless the protocol requires SPNEGO, as SMB2 does).
Titanis uses only the information on the command line and certain environment variables for authentication. It does not read your current session, OS credential store, or logged-on user identity.

Quick reference

If you have…ParametersProtocolsNotes
Nothing-AnonymousNTLMUse with -vv to discover the domain and computer name of a server.
User name + password-UserName <user> -Password <pass>NTLMDomain is inferred from the NTLM challenge. Escape shell special characters.
User name + password (with domain)-UserName <domain>\<user> or -UserName <user>@<domain> or -UserName <user> -UserDomain <domain>NTLM, KerberosDomain may be NetBIOS or FQDN.
User name + NTLM hash (no domain)-UserName <user> -NtlmHash <hex>NTLMHash only — no colons.
User name + NTLM hash (with domain)-UserName <domain>\<user> -NtlmHash <hex>NTLM, Kerberos (RC4-HMAC)
User name + AES 128 key-UserName <user>@<domain> -AesKey <hex>Kerberos (AES128)Key length distinguishes AES128 from AES256.
User name + AES 256 key-UserName <user>@<domain> -AesKey <hex>Kerberos (AES256)
TGT file + KDC-Tgt <file> -Kdc <endpoint>KerberosTitanis requests missing service tickets automatically.
Ticket cache + KDC-TicketCache <file> -Kdc <endpoint>KerberosNew tickets are added to the cache and reused.
Service ticket file-Ticket <file>KerberosThe SPN of the ticket must match what the command requires.
Ticket cache (service tickets)-TicketCache <file>Kerberos
Certificate (.pfx)-UserCert <.pfx> -UserKeyPassword <pass>Kerberos (PKINIT)-UserKeyPassword only required if the file is encrypted.
Certificate (.pem with key)-UserCert <.pem> -UserKeyPassword <pass>Kerberos (PKINIT)
Certificate (.pem) + separate key-UserCert <.pem> -UserKey <.key> -UserKeyPassword <pass>Kerberos (PKINIT)

Anonymous authentication

Pass -Anonymous to authenticate without credentials. Combined with -vv this is useful for enumerating the domain name and computer name that a server reports during the NTLM handshake. 
Smb2Client ls \\TARGET -Anonymous -vv

Password authentication

Smb2Client ls \\LUMON-FS1\C$ -UserName milchick -Password Br3@kr00m!
Include the domain to enable Kerberos in addition to NTLM: 
Smb2Client ls \\LUMON-FS1\C$ -UserName [email protected] -Password Br3@kr00m! -Kdc 10.66.0.11

Pass-the-hash

Provide the NT hash as a hex string (no colons): 
Smb2Client ls \\LUMON-FS1\C$ -UserName milchick -NtlmHash aad3b435b51404eeaad3b435b51404ee

AES key authentication

AES128 and AES256 are distinguished automatically by key length: 
Kerb asreq [email protected] -Kdc 10.66.0.11 -AesKey <32-byte hex key> -OutputFileName milchick.kirbi

Ticket-based authentication

Titanis accepts both .kirbi and .ccache formats for all ticket file parameters — no conversion required.
Provide a TGT file and a KDC address. Titanis requests any required service tickets automatically.
Smb2Client ls \\LUMON-FS1\C$ -Tgt milchick-tgt.kirbi -Kdc 10.66.0.11
Provide a file containing the exact service ticket the command needs. The SPN of the ticket must match what the command requires. This file is never modified.
Smb2Client ls \\LUMON-FS1\C$ -Ticket milchick-cifs.kirbi
A managed ticket cache that Titanis both reads from and writes to. Requested tickets are added to the file and reused in subsequent commands. If the file does not exist, it is created. The format (kirbi or ccache) is detected from the existing file content regardless of extension; for new files the extension determines the format.Set the KRB5CCNAME environment variable to have all commands use the same cache automatically.
export KRB5CCNAME=milchick.ccache
Smb2Client ls \\LUMON-FS1\C$ -UserName [email protected] -Password Br3@kr00m! -Kdc 10.66.0.11
If the cache contains tickets for multiple users, pass -UserName to filter which tickets are used.
Address of the Key Distribution Center. Required when Titanis needs to contact a KDC to request tickets. For inter-realm referrals, Titanis resolves the next realm’s KDC via DNS automatically.
  • Ticket files specified with -Tgt or -Ticket are never modified.
  • A single file may contain both a TGT and service tickets; you can specify the same file for both -Tgt and -Ticket.
  • Titanis skips tickets that are outside their validity period.
  • If you specify a ticket file without a user name or realm, Titanis uses the first usable ticket it finds.

Certificate-based authentication (PKINIT)

Use a certificate to perform Kerberos PKINIT pre-authentication. Titanis accepts .pfx and .pem formats. 
Kerb asreq [email protected] -Kdc 10.66.0.11 \
  -UserCert milchick.pfx -UserKeyPassword s3cr3t \
  -OutputFileName milchick.kirbi
-UserKeyPassword is only required when the certificate file is encrypted.

Other parameters

ParameterDescription
-Workstation <name>Name reported as your workstation during authentication. Windows evaluates logon restrictions against this name and includes it in event log records.
-NtlmVersion <m.n.b.r>Version number to send in NTLM messages.
-UserDomain <domain>Domain to use when -UserName does not include one.

Service for User (S4U)

Titanis integrates S4U2self and S4U2proxy, letting a service account obtain a service ticket for — and impersonate — a user account without requiring that user’s credentials.

S4U parameters

ParameterDescriptionNotes
-S4UserName <user>Name of the user to impersonateIf no domain is included, the service account’s domain is assumed.
-S4UserCert <cert file>X.509 certificate identifying the user to impersonate
-S4ProxyService <service>Service account to proxy throughMay be <class>/<host> or just the account name. Presence of this parameter triggers S4U2proxy.
Specify either -S4UserName or -S4UserCert (or both — they must agree). The credentials you provide with -UserName, -Password, etc. are for the service account, not the user to impersonate.

S4U2self sequence

1

Request TGT for the service account

Titanis requests a TGT for -UserName using the credential you specified (-Password, -NtlmHash, or -AesKey).
2

Request a service ticket for the command

The TGT is used to request a service ticket to the service the command requires.
3

Obtain an impersonation ticket via S4U2self

S4U2self is used to request a ticket for the user specified by -S4UserName or -S4UserCert to the service required by the command.

S4U2proxy sequence

1

Request TGT for the service account

Titanis requests a TGT for -UserName using the specified credential.
2

Request a service ticket to the proxy service

The TGT is used to request a service ticket to the service specified by -S4ProxyService.
3

Obtain an S4U2self ticket to the proxy service

S4U2self is used to request a ticket for the user specified by -S4User* to -S4ProxyService.
4

Obtain the final ticket via S4U2proxy

S4U2proxy is used to request a ticket for the user specified by -S4User* to the service required by the command.
At each step, Titanis checks the ticket files in -Tgt, -Ticket, and -TicketCache first. If the desired ticket is already present, it is used and the KDC is not contacted for that step.

S4U2proxy example

You have credentials for service account allentown@LUMON and want to access a file share as user milchick: 
Smb2Client ls \\LUMON-FS1\C$ \
  -UserName allentown@LUMON -Password password -Kdc 10.66.0.11 \
  -S4UserName milchick -S4ProxyService host/allentown
This command:
  1. Requests a TGT for allentown (or retrieves one from the cache).
  2. Uses S4U2self to request a ticket for milchick to host/allentown.
  3. Uses S4U2proxy to request a ticket for milchick to cifs/LUMON-FS1.
To test any authentication scenario, use Lsa whoami. It prints the name of the user that authenticates to it and accepts all standard authentication parameters.

Build docs developers (and LLMs) love

Get started for freeTalk to us