You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Generates a protocol key from a string, such as a password
For help on a subcommand, use Kerb <subcommand> -h
Kerb asreq
Requests a TGT from the KDC.
Synopsis
Kerb asreq [options] <UserName> <Kdc>
Parameters
Name
Aliases
Value
Description
<UserName>
<UserPrincipalName>
Name of user (no domain)
<Kdc>
<EndPoint>
Host name or address of KDC
Options
Authentication (Kerberos)
Name
Aliases
Value
Description
-EncTypes
<EType[]>
Encryption types to request in response
Possible values:
DesCbcMd5
DesCbcCrc
Rc4Hmac
Rc4HmacExp
Aes128CtsHmacSha1_96
Aes256CtsHmacSha1_96
DsaWithSha1
Md5WithRsa
Sha1WithRsa
Rc2Cbc
Rsa
RsaesOaep
DesEde3Cbc
-TicketCache
<String>
Name of ticket cache file
-W, -Workstation
<String>
Name of client workstation
-Realm
<String>
Name of realm (domain)
-Password
<String>
Password
-N, -NtlmHash
<HexString>
NTLM hash (hex-encoded, no colons)
-AesKey
<HexString>
AES 128 key
-DesKey
<HexString>
DES key
-F, -Forwardable
<SwitchParam>
Requests a forwardable ticket
-Proxiable
<SwitchParam>
Requests a forwardable ticket
-Postdate
<DateTime>
Requests a postdated ticket with the specified start date
-Renewable
<SwitchParam>
Requests a renewable ticket
-RenewTill
<DateTime>
Requests a ticket renewable until the specified time (implies -Renewable)
-EndTime
<DateTime>
End time
-RenewableOk
<SwitchParam>
Accepts a renewable ticket if the end time is over the limit
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Name
Aliases
Value
Description
-Target
<SecurityPrincipalName[]>
SPNs to request ticket(s) for
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-TicketComment
<String>
Comment to associate with ticket
-S, -Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-OutputFileName
<String>
Name of file to write ticket to
-Overwrite
<SwitchParam>
Overwrites the output file, if it exists
-Append
<SwitchParam>
Appends to the output file, if it exists
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
This command sends an AS-REQ to the KDC to request a ticket-granting ticket.
The command line must include either a password or a hex-encoded key that is
used both for preauthentication as well as to decrypt the response. When
specifying the NTLM hash, specify just the NTLM portion with no colon.
The provided credential determines the encryption type of the response. If you
provide a password then all encryption types supported by Kerb asreq are
presented. To override this, use -EncTypes to specify a list of encryption
types to accept. Note that this only effects the encryption used in the
response and not the preauthorization data.
Dates/times are interpreted as local time unless otherwise specified. If only
a time is supplied, the assumed date is today.
Note that the ticket flags and time parameters affect the request sent to the
KDC. However, the KDC is free to ignore them; specifying an option doesn't
guarantee that the ticket will have the requested option.
If you don't specify any options for the ticket, Kerb asreq uses default
values, requesting a ticket that expires 10 hours from now with the options
Canonicalize, RenewableOk, Renewable, and Forwardable. If any options are
specified, then no default values are applied and only the options specified
are used.
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Name
Aliases
Value
Description
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-S, -Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
Kerb changepw uses the Kerberos Change Password protocol and can only be used
to change the password of the authenticating user. To set the password of
another user, use the setpw command.
This protocol requires an initial ticket. That is, it requires a ticket from
an ASREQ/ASREP exchange and not from a TGSREQ/TGSREP exchange. Therefore, this
command requires credentials and does not accept a ticket as a parameter. The
setpw command does not have this restriction and accepts a ticket as a
parameter.
Gets server time and encryption types (with salts) for a user account.
Synopsis
Kerb getasinfo [options] <UserName> <Kdc>
Parameters
Name
Aliases
Value
Description
<UserName>
<UserPrincipalName>
Name of user (no domain)
<Kdc>
<String>
Host name or address of KDC
Options
Authentication (Kerberos)
Name
Aliases
Value
Description
-R, -Realm
<String>
Name of realm (domain)
Name
Aliases
Value
Description
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputFields
<String[]>
Fields to display in output
Possible values:
EType
SaltText
SaltHex
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-S, -Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-D, -Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
This command sends an AS-REQ to the KDC for a user and checks the response.
Typically, the KDC response with an error indicating that preauthentication is
required along with its time and valid encryption wypes for the specified
account. This command analyzes that error response and prints the information.
If the account does not exist or the realm name is wrong, the KDC returns an
error indicating this and does not provide preauthentication info.
If the user exists but does not require preauthentication, the KDC will instead
reply with a TGT without providing encryption types. In that case, use the
requesttgt command to analyze the ticket.
Examples
Example 1 - Get AS info for milchick
Kerb getasinfo milchick@LUMON 10.66.0.11
Kerb renew
Renews a ticket
Synopsis
Kerb renew [options] <Kdc> [ <TargetSpn> ]
Parameters
Name
Aliases
Value
Description
<Kdc>
<EndPoint>
Host name or address of KDC
<TargetSpn>
<SecurityPrincipalName[]>
SPNs to renew tickets for
Options
Authentication (Kerberos)
Name
Aliases
Value
Description
-Ticket
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-W, -Workstation
<String>
Name of client workstation
-F, -Forwardable
<SwitchParam>
Requests a forwardable ticket
-Proxiable
<SwitchParam>
Requests a forwardable ticket
-Postdate
<DateTime>
Requests a postdated ticket with the specified start date
-Renewable
<SwitchParam>
Requests a renewable ticket
-RenewTill
<DateTime>
Requests a ticket renewable until the specified time (implies -Renewable)
-E, -EndTime
<DateTime>
End time
-RenewableOk
<SwitchParam>
Accepts a renewable ticket if the end time is over the limit
Output
Name
Aliases
Value
Description
-OutputFileName
<String>
Name of file to write ticket to
-Overwrite
<SwitchParam>
Overwrites the output file, if it exists
-A, -Append
<SwitchParam>
Appends to the output file, if it exists
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-D, -Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Name
Aliases
Value
Description
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-TicketComment
<String>
Comment to associate with ticket
-S, -Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
This command sends a request to the TGS to renew the source ticket. You may
provide the source ticket to renew either with -Ticket or -TicketCache. For
-TicketCache, -TargetSpn is required; for -Ticket, -TargetSpn is optional. If
you specify both -Ticket and -TicketCache, Kerb renew only loads source tickets
from -Ticket and only uses -TicketCache for output.
If you specify -TargetSpn with one or more SPNs, Kerb renew only renews tickets
matching one of the specified SPNs.
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-D, -Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-H, -HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Details
When authenticating with a password, Kerberos internally generates a protocol
key from the password and the accompanying salt using the String-to-key
function defined for each encryption profile. For Windows domains, the salt
for a user account is usually the FQDN of the domain in uppercase followed by
the account name. Specifically, the salt is composed of the domain and SAM
account name at the time of the last password is changed. Therefore, if an
account has been renamed, the salt retains the old account name until the user
changes the password again.
NOTE: Be sure to read the above regarding salts. Using the wrong salt has the
same effect as using the wrong password and may result in account lockout.
You may use Kerb getasinfo to get the salt for an account.
For more details, see [MS-KILE] § 3.1.1.2
The domain name used for the salt must be the FQDN of the domain, not the
shorter NetBIOS name.
Examples
Example 1 - Generate keys for milchick in domain LUMON.IND
Kerb s2k LUMON.INDmilchick Br3@kr00m!
Example 2 - Generate AES keys for milchick in domain LUMON.IND
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-D, -Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-H, -HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Ticket Decryption
Name
Aliases
Value
Description
-TicketKey
<HexString[]>
Key to decrypt the ticket
-ServicePassword
<String[]>
Password for service account
-ServiceSalt
<String[]>
Salt for service account
Ticket Filter
Name
Aliases
Value
Description
-Current
<SwitchParam>
Only select tickets currently valid
-MatchingClientName
<String[]>
Regex of client name to match
-MatchingSpn
<String[]>
Regex of SPN to match
-MatchingTicketEType
<EType[]>
Filter for ticket encryption type
Possible values:
DesCbcMd5
DesCbcCrc
Rc4Hmac
Rc4HmacExp
Aes128CtsHmacSha1_96
Aes256CtsHmacSha1_96
DsaWithSha1
Md5WithRsa
Sha1WithRsa
Rc2Cbc
Rsa
RsaesOaep
DesEde3Cbc
-MatchingSessionEType
<EType[]>
Filter for session key encryption type
Possible values:
DesCbcMd5
DesCbcCrc
Rc4Hmac
Rc4HmacExp
Aes128CtsHmacSha1_96
Aes256CtsHmacSha1_96
DsaWithSha1
Md5WithRsa
Sha1WithRsa
Rc2Cbc
Rsa
RsaesOaep
DesEde3Cbc
-SeqNbr
<NumberOrRange[]>
Seq. nbr. or range
-InvertMatch
<SwitchParam>
Invert match; select whatever doesn't match
Name
Aliases
Value
Description
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputFields
<String[]>
Fields to display in output
Possible values:
SourceFileName
SeqNbr
Comment
ClientName
ClientRealm
TicketRealm
TargetSpn
ServiceClass
ServiceInstance
ServiceRealm
KdcOptions
EndTime
StartTime
RenewTill
AsrepKeyText
TicketKeyText
SupportedEncryptionTypes
SessionEType
SessionKeyText
TicketEType
TgsrepHashcatMethod
TicketHash
IsCurrent
CachedAuthData
SecurityGroups
NtlmHashText
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
Details
This command reads tickets from one or more files (.kirbi or .ccache),
optionally filters them, and optionally writes the results to another file
(either .kirbi or .ccache). It can be used to inspect files, convert files,
combine files, or remove tickets from files.
The command accepts both -TicketCache and -From to specify one or more files to
read tickets from. If -From is specified, -TicketCache is ignored. This is to
facilitate the use of $KRB5CCNAME. If this environment variable is set, you
don't need to specify -From. If you specify -From, this expresses your desire
to ignore the ticket cache.
Specify the source files using -From. You may specify multiple files and
multiple wildcard patterns. Kerb select reads all files from the tickets and
applies any filters specified before printing the tickets to the screen. If
you specify -Into, the results are written to the file you specify. Use
-Overwrite to overwrite the outptu file if it already exists.
Examples
Example 1 - Print tickets from all mlichick*.kirbi files
Kerb select -From milchick*.kirbi
Example 2 - Combine tickets from all mlichick*.kirbi files
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
Kerb setpw uses the Windows 2000 Kerberos Change Password protocol (RFC 3244)
and can be used to change the password of a user account that may or may not be
the same as the authenticating user. This service does not require an initial
ticket and is more flexible than changepw.
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-EncTypes
<EType[]>
Encryption types to request in response
Possible values:
DesCbcMd5
DesCbcCrc
Rc4Hmac
Rc4HmacExp
Aes128CtsHmacSha1_96
Aes256CtsHmacSha1_96
DsaWithSha1
Md5WithRsa
Sha1WithRsa
Rc2Cbc
Rsa
RsaesOaep
DesEde3Cbc
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-TicketCache
<String>
Name of ticket cache file
-W, -Workstation
<String>
Name of client workstation
-Forwardable
<SwitchParam>
Requests a forwardable ticket
-Proxiable
<SwitchParam>
Requests a forwardable ticket
-Postdate
<DateTime>
Requests a postdated ticket with the specified start date
-Renewable
<SwitchParam>
Requests a renewable ticket
-RenewTill
<DateTime>
Requests a ticket renewable until the specified time (implies -Renewable)
-EndTime
<DateTime>
End time
-RenewableOk
<SwitchParam>
Accepts a renewable ticket if the end time is over the limit
Name
Aliases
Value
Description
-Forwarded
<SwitchParam>
Requests a forwarded ticket
-Realm
<String>
Realm of the KDC
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service account with S4U2proxy
-U2uTicket
<String>
Name of file containing U2U ticket
-ServicePassword
<String>
Password for service account (for decrypting authorization data)
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-TicketComment
<String>
Comment to associate with ticket
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Ticket Authorization Data (Kerberos)
Name
Aliases
Value
Description
-ServiceSalt
<String>
Salt for service account (for decrypting authorization data)
-AsrepKey
<HexString>
Encryption key from AS-REP (for decryption NTLM hash)
Output
Name
Aliases
Value
Description
-OutputFileName
<String>
Name of file to write ticket to
-Overwrite
<SwitchParam>
Overwrites the output file, if it exists
-Append
<SwitchParam>
Appends to the output file, if it exists
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-D, -Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
This command sends a TGS-REQ to the KDC to request a ticket.
The target may either be specified as a service principal name of the form
<class>/<instance> or as the name of the account itself. For machine accounts,
the $ is optional. For instance, instead of host/LUMON-FS1, you may simply use
LUMON-FS1$ or LUMON-FS1
The command line must include either a password or a hex-encoded key that is
used both for pre-authentication as well as to decrypt the response. When
specifying the NTLM hash, specify just the NTLM portion with no colon.
By default, all supported encryption types are sent in the request. To limit
this, use the -EncTypes parameter to specify which encryption types to request
from the server.