Request a Ticket Granting Ticket (TGT) using user credentials.

Supports multiple authentication methods:

• Password-based (cleartext or encrypted)

• Hash-based (RC4/NTLM, AES128, AES256, DES)

• Certificate-based (PKINIT)

The TGT can be saved to a file, applied to the current session (PTT), or returned as base64.

Example use cases:

• Obtain TGT for lateral movement

• Test credential validity

• Support subsequent ticket operations

Request Service Tickets (TGS) for specified Service Principal Names (SPNs).

Requires a valid TGT (provided as ticket parameter or from current session). Can request tickets for multiple SPNs in one operation.

Use cases:

• Access specific services after obtaining TGT

• Kerberoasting alternative (request specific SPN tickets)

• S4U2Self/S4U2Proxy prerequisite

Renew an existing TGT to extend its validity period.

Can optionally auto-renew continuously until the renewable lifetime expires. Useful for maintaining persistent access without re-authentication.

Perform Kerberoasting attack to extract service account password hashes.

Requests TGS tickets for accounts with SPNs, which are encrypted with the service account's password hash. These can be cracked offline.

Features:

• Target specific users or all SPN accounts

• AES vs RC4 OPSEC considerations

• Statistics mode for reconnaissance

• LDAP filtering for targeted attacks

• Password age filtering

Output format compatible with hashcat (mode 13100/19700) or John.

Perform AS-REP Roasting against accounts that don't require pre-authentication.

Targets accounts with "Do not require Kerberos preauthentication" enabled. The AS-REP response contains data encrypted with the user's password hash.

Features:

• Target specific users or enumerate vulnerable accounts

• Output in hashcat or John format

• OU-based targeting

Output format: hashcat mode 18200 or John (jumbo).

Extract a usable TGT for the current user without elevation.

Uses Kerberos GSS-API to abuse the delegation mechanism and retrieve the current user's TGT. This is the "tgt::deleg" technique from Kekeo.

No admin/elevation required - works with standard user permissions. The extracted TGT can be used for pass-the-ticket attacks.

Dump all Kerberos tickets from memory (current or all sessions).

Extracts tickets from the current logon session or, with elevation, from all logon sessions on the system.

Tickets are output as base64-encoded kirbi format.

Continuously monitor for and harvest new TGTs.

Runs in a loop, extracting new TGTs as they appear and optionally auto-renewing them to maintain access.

Useful for capturing tickets from other users logging in.

Monitor for new TGTs without harvesting/renewal.

Watches for new TGT events and displays them as they occur. Lighter weight than harvest - just observation.

Display a quick summary of all tickets in current/all sessions.

Shows ticket information without full extraction - useful for reconnaissance of what tickets are available.

List detailed information about Kerberos tickets.

Similar to the native klist command but with more detail and filtering options.

Pass-the-ticket: Apply a Kerberos ticket to the current logon session.

Imports a ticket (from base64 or .kirbi file) into the current session, enabling access to resources as the ticket's principal.

Purge Kerberos tickets from a logon session.

Removes all tickets from the current session, or with elevation, from a specific LUID.

Parse and display detailed information about a Kerberos ticket.

Can decrypt ticket contents if the appropriate key is provided. Useful for analyzing captured tickets.

Substitute the service name in a service ticket.

Replaces the SPN in an existing TGS with a different service name. Useful when you have a ticket for one service but need access to another on the same server (requires same service account).

Perform S4U (Service for User) constrained/unconstrained delegation abuse.

Implements:

• S4U2Self: Obtain service ticket to yourself on behalf of another user

• S4U2Proxy: Use constrained delegation to obtain ticket to target service

This is a powerful technique for privilege escalation when you control an account with delegation rights.

Supports:

• User-based authentication (password/hash)

• Ticket-based authentication

• Bronze Bit exploitation (CVE-2020-17049)

• OPSEC-safe options

Forge a Golden Ticket (forged TGT with krbtgt hash).

Creates a TGT that grants domain-wide access. Requires:

• Domain SID

• krbtgt account hash (RC4 or AES)

• Target username and domain

The golden ticket bypasses normal authentication and can be used for persistent domain access.

Forge a Silver Ticket (forged TGS with service account hash).

Creates a service ticket for a specific service. Requires:

• Service account hash

• Service SPN

• Domain information

Silver tickets grant access to a specific service without touching the DC.

Forge a Diamond Ticket (modified legitimate TGT).

Requests a legitimate TGT and then modifies it with new PAC data. More stealthy than golden tickets as it starts with a real ticket.

Requires krbtgt key for re-signing.

Calculate Kerberos password hashes from plaintext.

Computes the various Kerberos encryption keys from a password:

• RC4_HMAC (NTLM)

• AES128_CTS_HMAC_SHA1

• AES256_CTS_HMAC_SHA1

• DES_CBC_MD5

These hashes can be used for ticket requests and other operations.

Change/reset a user's password using a TGT.

Uses the Kerberos Set Password protocol (Aorato technique) to change a user's password with just their TGT.

Can target other users with appropriate permissions.

Create a new process with network credentials (logon type 9).

Creates a process that uses different credentials for network authentication. Useful for applying tickets to a separate process.

The process can be hidden or visible.

Display the current user's Logon Unique ID (LUID).

Returns the LUID of the current logon session, which is needed for various ticket operations.

Display information about logon sessions.

Shows detailed information about the current or specified logon session.

Convert an AS-REP response to kirbi ticket format.

Takes a raw AS-REP response and converts it to a usable kirbi ticket using the provided key.

Modify a kirbi ticket's session key.

Changes the session key in an existing kirbi ticket. Useful for advanced ticket manipulation.

Check the current environment and available tools.

Detects whether running on Windows (native Rubeus) or Linux/macOS (impacket mode). Lists available tools and configuration.