LinuxCommandLibrary

gettgt.py

TLDR

Request a TGT using a password

$ getTGT.py [domain]/[username]:[password]
copy

Request a TGT using NTLM hashes
$ getTGT.py -hashes [LM_Hash]:[NT_Hash] [domain]/[username]
copy

Use Kerberos authentication (from existing ccache, no password needed)
$ getTGT.py -k -no-pass [domain]/[username]
copy

Request a TGT using an AES key (128 or 256 bits)
$ getTGT.py -aesKey [aes_key] [domain]/[username]
copy

Specify a domain controller IP
$ getTGT.py -dc-ip [domain_controller_ip] [domain]/[username]:[password]
copy

Request a service ticket directly (AS-REQ) for a specific SPN
$ getTGT.py -service [SPN] [domain]/[username]:[password]
copy

SYNOPSIS

gettgt.py [-h] [--hashes LMHASH:NTHASH] [--aesKey AESKEY] [--dc-ip DC_IP] [-k [{yes,TGS}]] [--no-pass] domain[/user]

PARAMETERS

-h, --help
    Show help message and exit

--hashes LMHASH:NTHASH
    NTLM hash in LM:NTHASH format (e.g., aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c)

--aesKey AESKEY
    AES key (aes256-cts-hmac-sha1-96 or aes128-cts-hmac-sha1-96)

--dc-ip DC_IP
    IP address of the domain controller

-k [{yes,TGS}]
    Use Kerberos authentication; 'yes' for TGT, 'TGS' for service tickets

--no-pass
    Skip password prompt (for hash or key usage)

DESCRIPTION

GetTGT.py is a Python script from the Impacket suite, designed for penetration testers and security researchers. It requests a Kerberos Ticket Granting Ticket (TGT) from a domain controller (DC) by crafting an AS-REQ packet with pre-authentication data derived from an NTLM hash (RC4-HMAC) or AES keys. This allows obtaining TGTs without knowing the plaintext password, useful for lateral movement, Pass-the-Hash attacks, or further Kerberos abuse like silver/golden tickets.

Typically invoked with a domain/user and hash, it communicates with the KDC over UDP/TCP 88. Supports options for specifying DC IP, Kerberos mode, and key types. Output is a .ccache or .kirbi file containing the TGT, compatible with tools like Rubeus or Impacket's psexec.py.

Requires Python 3 and Impacket library; not a native Linux binary but runs on Linux/macOS/Windows.

CAVEATS

Requires network access to DC port 88; domain admin privileges not needed for user TGTs but hashes must be valid. Not for production use—pentesting only. May trigger EDR alerts. IPv6 support limited.

EXAMPLE

python3 gettgt.py -hashes :8846f7eaee8fb117ad06bdd830b7586c lab.local/user --dc-ip 10.10.10.10
Saves user.ccache

OUTPUT

Generates [user].ccache or [user].kirbi; use with KRB5CCNAME env var: export KRB5CCNAME=user.ccache

HISTORY

Part of Impacket toolkit, originally developed by SecureAuth in 2010s; GetTGT.py added ~2015 for Kerberos hash attacks. Maintained by fortinet/SecureAuth on GitHub.

SEE ALSO

kinit(1), ktutil(1)

Copied to clipboard