impacket-gettgt

TLDR

View documentation for the original command

$ tldr getTGT.py

SYNOPSIS

impacket-gettgt [-h] [-hashtype {lm,ntlm}] [-user USER] [-nthash NTHASH] [-aesKey AESKEY] [-dc-ip DC_IP] [-k] [-no-pass] [-request] domain/username

-h, --help
    Show help message and exit

-hashtype {lm,ntlm}
    Hash type for authentication; options: lm, ntlm (default)

-user USER
    Username for authentication instead of positional arg

-nthash NTHASH
    NTLM hash (pass-the-hash) instead of password

-aesKey AESKEY
    AES-256 key for Kerberos authentication

-dc-ip DC_IP
    IP address of target Domain Controller

-k
    Use Kerberos ccache credentials (KRB5CCNAME)

-no-pass
    Skip password prompt (for scripting)

-request
    Force TGT request even if cached

DESCRIPTION

impacket-gettgt is a tool from the Impacket suite designed to request a Ticket Granting Ticket (TGT) from an Active Directory Kerberos Key Distribution Center (KDC). It supports authentication via password, NTLM hash (pass-the-hash), or AES keys, making it useful for penetration testing and red team operations.

By providing domain credentials, the tool sends an AS-REQ to the KDC (port 88/TCP) and saves the resulting TGT in both ccache (for tools like impacket-ntlmrelayx) and .kirbi formats (for Tiket tools). This enables subsequent Kerberos-based attacks like pass-the-ticket, overpass-the-hash, or service ticket requests with impacket-getST.

Common workflow: impacket-gettgt domain/user:pass or with hash -nthash. Set KRB5CCNAME env var to use the TGT. Detection risks include event logs (4768/4769) on Windows DCs.

impacket-gettgt

TLDR

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

OUTPUT FILES

EXAMPLE USAGE

HISTORY

SEE ALSO