> For the complete documentation index, see [llms.txt](https://www.impacket.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.impacket.wiki/reference/script-reference/kerberos-scripts.md).

# Kerberos Scripts

The Kerberos examples are some of the most important scripts in Impacket because they show how the library builds, requests, stores, converts, and inspects tickets.

## Script List

* `getTGT.py` -- Request a TGT
* `getST.py` -- Request a service ticket (TGS)
* `GetNPUsers.py` -- AS-REP Roasting (users without pre-authentication)
* `GetUserSPNs.py` -- Kerberoasting (service ticket requests for cracking)
* `ticketer.py` -- Forge Golden / Silver tickets
* `ticketConverter.py` -- Convert between kirbi and ccache formats
* `describeTicket.py` -- Inspect and decode ticket contents
* `goldenPac.py` -- MS14-068 exploit (Golden PAC)
* `keylistattack.py` -- Keylist attack for RODC scenarios
* `getPac.py` -- Request and parse a PAC
* `raiseChild.py` -- Child-to-parent domain privilege escalation

## Main Scripts

| Script               | Purpose                                                                                   | Useful Things To Look at In The Source                                     |
| -------------------- | ----------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| `getTGT.py`          | Requests a Ticket Granting Ticket for a user or machine account                           | AS-REQ construction, encrypted timestamp pre-authentication, ccache saving |
| `getST.py`           | Requests a service ticket, including delegation-oriented flows                            | S4U, SPN handling, ticket cache usage                                      |
| `GetNPUsers.py`      | Finds accounts without Kerberos pre-authentication and requests roastable AS-REP material | LDAP enumeration, AS-REP request logic                                     |
| `GetUserSPNs.py`     | Finds users with SPNs and optionally requests roastable TGS material                      | LDAP filters, TGS-REQ flow                                                 |
| `ticketer.py`        | Creates golden or silver Kerberos tickets                                                 | PAC construction, ticket signing, SID/group handling                       |
| `ticketConverter.py` | Converts between ccache and Kirbi formats                                                 | Ticket serialization formats                                               |
| `describeTicket.py`  | Parses and describes a Kerberos ticket                                                    | ASN.1 parsing, PAC parsing, ticket decryption                              |
| `getPac.py`          | Requests and displays PAC-related ticket data                                             | PAC handling and KDC interaction                                           |
| `changepasswd.py`    | Changes or resets passwords through SAMR, Kerberos, or LDAP paths                         | Password-change protocols, reset permissions, policy behavior              |
| `findDelegation.py`  | Finds delegation settings in Active Directory                                             | LDAP delegation attributes                                                 |
| `rbcd.py`            | Reads or writes resource-based constrained delegation                                     | LDAP security descriptor editing                                           |
| `goldenPac.py`       | Demonstrates the historical MS14-068-style golden PAC flow                                | Kerberos PAC abuse flow                                                    |
| `keylistattack.py`   | Performs Kerberos key list request workflows where applicable                             | Kerberos extension handling                                                |

## Requesting a TGT

`getTGT.py` is the cleanest starting point for understanding Impacket Kerberos authentication.

```bash
python examples/getTGT.py CONTOSO/alice:'Passw0rd!'
```

With an NT hash:

```bash
python examples/getTGT.py -hashes :8846f7eaee8fb117ad06bdd830b7586c CONTOSO/alice
```

With an AES key:

```bash
python examples/getTGT.py -aesKey 2b7e151628aed2a6abf7158809cf4f3c CONTOSO/alice
```

The output is normally a `.ccache` file. That file can then be reused by other examples with `-k -no-pass`.

## Requesting a Service Ticket

`getST.py` requests a ticket for a specific SPN.

```bash
python examples/getST.py -spn cifs/files01.contoso.local CONTOSO/alice:'Passw0rd!'
```

Common follow-up:

```powershell
$env:KRB5CCNAME = "alice.ccache"
python examples/smbclient.py -k -no-pass files01.contoso.local
```

The service ticket must match the service name the target expects. For SMB, that is usually `cifs/hostname`.

## AS-REP Roasting

`GetNPUsers.py` queries accounts that do not require Kerberos pre-authentication. If the KDC returns AS-REP material, that material can be tested offline.

```bash
python examples/GetNPUsers.py CONTOSO.LOCAL/alice:'Passw0rd!' -dc-ip 10.10.10.10
```

Request output for users from a file:

```bash
python examples/GetNPUsers.py CONTOSO.LOCAL/ -usersfile users.txt -no-pass -dc-ip 10.10.10.10
```

## Kerberoasting

`GetUserSPNs.py` searches for user accounts with SPNs and can request TGS material.

```bash
python examples/GetUserSPNs.py CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
python examples/GetUserSPNs.py -request CONTOSO/alice:'Passw0rd!' -dc-ip 10.10.10.10
```

Study this script for LDAP filter construction and how Impacket switches from directory enumeration to Kerberos ticket requests.

## Ticket Creation and Conversion

`ticketer.py` creates Kerberos tickets from known key material and domain identity data.

```bash
python examples/ticketer.py -nthash <krbtgt-nt-hash> -domain-sid S-1-5-21-... -domain CONTOSO.LOCAL alice
```

`ticketConverter.py` converts between common ticket file formats:

```bash
python examples/ticketConverter.py alice.kirbi alice.ccache
python examples/ticketConverter.py alice.ccache alice.kirbi
```

## Password Changes and Resets

`changepasswd.py` collects several password-change paths in one script: SAMR over SMB, SAMR over RPC, Kerberos password change, Kerberos password set, and LDAP password change or reset.

```bash
python examples/changepasswd.py CONTOSO/alice:'OldPassw0rd!'@dc01.contoso.local -newpass 'NewPassw0rd!'
```

Study this script when you need to understand the difference between changing a password as the account owner and resetting a password with higher privileges.

## Considerations

Kerberos examples are sensitive to naming. Use the AD DNS domain, use FQDNs for Kerberos targets, and when you can, specify `-dc-ip` and `-target-ip`. If a workflow works with NTLM but fails with Kerberos, inspect the SPN, DNS name, time sync, and cache selection. Chances are you just need to sync your time, or make the domain/target casing consistent.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.impacket.wiki/reference/script-reference/kerberos-scripts.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
