impacket-gettgt

Request a TGT for a domain user with password

$ impacket-gettgt '[domain]/[user]:[password]'

$ impacket-gettgt -dc-ip [192.168.1.100] '[domain]/[user]:[password]'

$ impacket-gettgt -hashes ':[nthash]' '[domain]/[user]'

$ impacket-gettgt -aesKey '[aes256key]' '[domain]/[user]'

impacket-gettgt [-h] [-dc-ip IP] [-hashes LMHASH:NTHASH] [-aesKey KEY] target

impacket-gettgt requests a Kerberos Ticket Granting Ticket (TGT) from an Active Directory domain controller. The TGT is saved to a ccache file that can be used for subsequent Kerberos authentication with other tools.
This tool is useful for obtaining Kerberos tickets when you have valid credentials (password, hash, or AES key) and need to authenticate to Kerberos-enabled services. The resulting ccache file can be exported via the KRB5CCNAME environment variable.

-dc-ip IP

IP address of the domain controller (KDC)

Use NTLM hashes for authentication instead of password

AES key to use for Kerberos authentication (128 or 256 bit)

Requires valid domain credentials in some form (password, NTLM hash, or AES key). The domain controller must be reachable and Kerberos ports (88/tcp) must be accessible. Time synchronization between client and KDC is critical for Kerberos to function.

Part of the Impacket library by SecureAuth, implementing the Kerberos protocol for penetration testing. TGT retrieval is a fundamental operation in Kerberos-based attacks and authentication workflows.

impacket-getst(1), kinit(1), klist(1), impacket-secretsdump(1)