Tools for Forging Kerberos Tickets

When it comes to attacking Active Directory through Kerberos, few techniques are as powerful—or as misunderstood—as ticket forging. This post breaks down the core tools every pentester should know to manipulate, forge, and abuse Kerberos tickets during red team operations. We’ll explore how each tool fits into the picture and when to use which one.

Understanding the Context: Why Forge Kerberos Tickets?

Kerberos authentication is built on a ticketing system. If you can forge or steal tickets, you can impersonate users (even Domain Admins), access services, and move laterally without ever knowing passwords. This is how techniques like:

Pass-the-Ticket
Golden Ticket attacks
Silver Ticket attacks
S4U (Service-for-User) delegation abuse

…are pulled off.

The catch? You need the right tools to create or inject these tickets.

1. Kekeo – The Advanced Kerberos Forge

Kekeo is a post-exploitation tool developed by Benjamin Delpy (creator of Mimikatz). It is designed exclusively for Kerberos ticket operations.

What It Can Do:

Create TGTs (Ticket Granting Tickets)
Create TGSs (Service Tickets)
Abuse S4U2Self and S4U2Proxy for constrained delegation
Support cross-domain ticket creation
Work with RC4 and AES keys

When To Use Kekeo:

You want full control over the Kerberos flow
You’re dealing with Constrained Delegation
You’re crafting tickets manually from known passwords or hashes

Example:

# Create a TGT for a service account with known password
kekeo.exe
> tgt::ask /user:svcIIS /domain:corp.local /password:Password123

# Use that TGT to impersonate a Tier 1 Admin to a specific service
> tgs::s4u /tgt:<TGT.kirbi> /user:t1_admin /service:http/server.corp.local

2. Mimikatz – The Swiss Army Knife

Mimikatz is a legendary post-exploitation tool. While it’s famous for dumping credentials, it’s also highly capable when it comes to working with Kerberos tickets.

What It Can Do:

Extract tickets from memory
Inject tickets into memory (Pass-the-Ticket)
Forge Golden and Silver Tickets
Extract the krbtgt hash for Golden Ticket attacks

When To Use Mimikatz:

You want to extract or inject tickets into a process
You’re executing a Golden/Silver ticket attack
You’re escalating privileges post-compromise

Example:

privilege::debug
kerberos::ptt <ticket.kirbi>
sekurlsa::tickets
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-... /krbtgt:<hash>

3. Rubeus – The Kerberos Workhorse (Windows)

Rubeus is arguably the most powerful Kerberos post-exploitation tool for Windows environments. It combines the best of Kekeo and Mimikatz with better scripting support and visibility.

What It Can Do:

Request TGTs and TGSs (asktgt, asktgs)
Perform S4U delegation attacks
Forge Silver Tickets
Dump or import .kirbi tickets (dump, ptt)
Extract service tickets for Kerberoasting
Supports password, NTLM, AES128/256 key usage

When To Use Rubeus:

You’re doing red teaming on Windows
You want automated or scriptable ticket abuse
You’re combining multiple ticketing techniques

Example:

Rubeus.exe asktgt /user:svcIIS /rc4:<NTLM> /domain:corp.local
Rubeus.exe s4u /user:svcIIS /rc4:<NTLM> /impersonateuser:t1_admin /msdsspn:http/server.corp.local /domain:corp.local
Rubeus.exe ptt /ticket:<ticket.kirbi>

4. Impacket – The Linux Powerhouse

Impacket is a collection of Python tools used heavily in offensive security. It’s especially useful for Kerberos abuse from a Linux (Kali/Parrot) environment.

What It Can Do:

Create Golden Tickets (ticketer.py)
Abuse S4U2Self/S4U2Proxy delegation
Perform Pass-the-Ticket with getST.py and getTGT.py
Extract service tickets (GetUserSPNs.py) for Kerberoasting

When To Use Impacket:

You’re operating from Linux
You’re scripting ticket abuse
You’re exploiting cross-forest trusts

Example:

python3 ticketer.py -nthash <krbtgt_hash> -domain-sid S-1-5-... -domain corp.local Administrator
python3 getST.py corp.local/username -k -no-pass -spn http/server.corp.local

Quick Comparison Table

Tool	Platform	Can Forge Tickets	Can Inject Tickets	Can Extract Tickets	Ideal Use Case
Kekeo	Windows	✅ Yes	❌ No	❌ No	Manual forging, constrained delegation
Mimikatz	Windows	✅ Yes	✅ Yes	✅ Yes	Extraction, Golden/Silver tickets
Rubeus	Windows	✅ Yes	✅ Yes	✅ Yes	Scripted abuse on Windows
Impacket	Linux	✅ Yes	✅ Yes	✅ Yes	Cross-domain, scripting on Linux

Final Thoughts

If you’re serious about Active Directory exploitation, learning these tools is non-negotiable. Each one plays a unique role in attacking Kerberos:

Kekeo for manual forging
Mimikatz for extraction/injection
Rubeus for all-around automation
Impacket for Linux-based operations

Once you understand how to build and move tickets, you unlock a new level of offensive capability. And with that, you also better understand how to defend against these same techniques.

Tools for Forging Kerberos Tickets

Understanding the Context: Why Forge Kerberos Tickets?

1. Kekeo – The Advanced Kerberos Forge

What It Can Do:

When To Use Kekeo:

Example:

2. Mimikatz – The Swiss Army Knife

What It Can Do:

When To Use Mimikatz:

Example:

3. Rubeus – The Kerberos Workhorse (Windows)

What It Can Do:

When To Use Rubeus:

Example:

4. Impacket – The Linux Powerhouse

What It Can Do:

When To Use Impacket:

Example:

Quick Comparison Table

Final Thoughts

Related Posts