Kerberos Module Command Reference
The kerberos module exposes a collection of commands that interact with the Windows Kerberos SSP through LSA. The table below lists every command that can be invoked from the mimikatz console with the kerberos:: prefix.
| Command | Purpose |
|---|---|
kerberos::ptt |
Inject .kirbi tickets into the current logon session. |
kerberos::list |
Enumerate cached Kerberos tickets and optionally export them. |
kerberos::ask |
Request a service ticket (TGS) for a specific SPN. |
kerberos::tgt |
Display the current session's TGT. |
kerberos::purge |
Flush the Kerberos ticket cache of the current session. |
kerberos::golden |
Craft a golden ticket and optionally inject it. |
kerberos::hash |
Derive Kerberos keys from a password and salt. |
kerberos::decrypt* |
Decrypt an encoded ticket blob with a supplied key. |
kerberos::pacinfo* |
Inspect the contents of a PAC blob. |
kerberos::ptc |
Import and inject MIT/Heimdal ccache tickets. |
kerberos::clist |
List (and optionally export) tickets from a ccache file. |
* Commands marked with an asterisk are available only when mimikatz is built with the KERBEROS_TOOLS flag.
kerberos::pttInjects one or more .kirbi files into the current logon session by submitting them to the Kerberos SSP via KerbSubmitTicketMessage.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L14-L126】 The command accepts positional arguments that point to ticket files or directories:
kerberos::ptt C:\tickets\admin.kirbi
kerberos::ptt C:\tickets\ # processes every *.kirbi in the directory tree
Example output:
* File: 'C:\tickets\admin.kirbi' : OK
-> Ticket injected for user Administrator @ CORP.LOCAL
*.kirbi file under it; this is useful when importing many tickets at once.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L63-L79】Potential errors and troubleshooting:
ERROR kuhl_m_kerberos_ptt_data – The file is not a valid KRB_CRED structure. Re-export the ticket with kerberos::list /export or another tool that preserves the Kerberos credential format.ERROR kull_m_file_readData – mimikatz cannot open the ticket path. Confirm the path, escape backslashes, and ensure the process has permission to read the file.kerberos::listEnumerates cached Kerberos tickets for the current session and displays their metadata. Adding /export also saves each ticket as a .kirbi file using a descriptive filename.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L197-L266】
kerberos::list
kerberos::list /export
Example output:
Ticket : 0 - 0x00000000 - krbtgt/CORP.LOCAL @ CORP.LOCAL
Flags : 50a10000 -> forwardable ; renewable ; pre_authent ; initial ; ok_as_delegate
Start/End : 9/18/2023 12:00:00 AM ; 9/18/2023 10:00:00 AM
/export – Replays each cache entry through KerbRetrieveEncodedTicketMessage in KrbCred form and writes it to disk. Use this when you need to move a ticket to another host or analyze it offline.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L225-L255】Potential errors and troubleshooting:
ERROR kuhl_m_kerberos_list – LSA returns STATUS_NO_LOGON_SESSION; run mimikatz as the same logon session whose tickets you want to inspect, or ensure you have SeDebugPrivilege by running privilege::debug first.ERROR kull_m_file_writeData – When exporting, the destination path is invalid or unwritable. Change to a writable directory (for example, C:\temp) before running the command.kerberos::askRequests a service ticket (TGS) for the supplied Service Principal Name (SPN) and shows the result. It can also export the ticket or the raw TKT blob for later use.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L269-L369】
kerberos::ask /target:cifs/server.lab.local [/rc4|/aes128|/aes256|/des] [/nocache] [/export] [/tkt]
Required flag:
/target:<SPN> – Sets the service principal to request. Without it the command aborts, because the Kerberos SSP cannot build a request without the target SPN.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L281-L369】Optional flags:
/rc4, /aes128, /aes256, /des – Override the desired encryption type for the ticket session key. Specify these when you want a ticket compatible with a particular cryptosystem (for example, RC4 for legacy services or AES for modern ones).【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L288-L315】/nocache – Forces KerbRetrieveEncodedTicketMessage to bypass the local cache. Use this to ensure you receive a freshly issued ticket when testing key rollovers or SPN configuration changes.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L288-L343】/export – Replays the request in KrbCred form and writes a .kirbi file with an auto-generated name. Choose this whenever you want to save the ticket for pass-the-ticket operations.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L335-L357】/tkt – Saves the encoded KRB_AP_REQ portion as a .tkt file. This is helpful when you need only the raw application ticket to replay with a custom client.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L327-L336】Example output:
ServiceName : cifs/server.lab.local @ LAB.LOCAL
TicketFlags : 40a50000 -> forwardable ; renewable ; pre_authent ; ok_as_delegate
Saved to file : 20230918_120000_server.lab.local_cifs.kirbi
Potential errors and troubleshooting:
ERROR kuhl_m_kerberos_ask with KDC_ERR_S_PRINCIPAL_UNKNOWN – The SPN does not exist. Verify the target host’s SPN with setspn -Q cifs/server.lab.local or request a different service.ERROR kuhl_m_kerberos_ask with KDC_ERR_ETYPE_NOTSUPP – The chosen encryption type is unsupported. Retry without specifying an encryption flag so the KDC picks a valid type, or choose one that matches the account’s keys.ERROR kuhl_m_kerberos_ask with KDC_ERR_PREAUTH_FAILED – The TGT in the cache is invalid or expired. Acquire a fresh TGT with domain credentials or inject a valid TGT via kerberos::ptt.kerberos::tgtRetrieves and prints the TGT for the current logon session, including flags, lifetime, and session key information.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L148-L195】 Use it to confirm that a session has a valid TGT or to inspect its encryption type.
kerberos::tgt
Example output:
Ticket : 0 - 0x00000000 - krbtgt/CORP.LOCAL @ CORP.LOCAL
Session Key: 0x17 - aes256_hmac 0a8d...f3
Potential errors and troubleshooting:
ERROR kuhl_m_kerberos_tgt with STATUS_NO_LOGON_SESSION – The current context lacks a Kerberos logon. Run mimikatz from a domain session or inject a ticket first.klist or log off/on to obtain fresh credentials.kerberos::purgeFlushes every ticket from the current logon session's cache via KerbPurgeTicketCacheMessage. Run this before injecting new tickets to avoid ambiguity or when you want to remove artifacts after testing.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L129-L145】
kerberos::purge
Example output:
Ticket(s) purged !
Potential errors and troubleshooting:
ERROR kuhl_m_kerberos_purge – Usually indicates STATUS_NO_LOGON_SESSION. Ensure the process is running within the logon session whose cache you intend to purge.kerberos::goldenBuilds a forged ticket (golden ticket) using supplied identity, key material, and lifetime parameters. The ticket can be saved to disk or injected directly into the current session.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L409-L538】
kerberos::golden /user:Administrator /domain:corp.example.com /sid:S-1-5-21-... /rc4:<krbtgt_hash>
[/id:<rid>] [/groups:<rids>] [/sids:<sidlist>] [/claims:<claimset>] [/rodc:<id>]
[/service:<name>] [/target:<fqdn>] [/startoffset:<minutes>] [/endin:<minutes>] [/renewmax:<minutes>]
[/ticket:<filename>] [/ptt]
Identity and domain:
/user or /admin – Specifies the account name to embed in the ticket. /admin is an alias for /user and exists for historical usage.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L425-L427】/domain – Sets the fully qualified AD domain. A dot in the name is required so mimikatz can derive the NetBIOS domain for the PAC. Use a FQDN to prevent malformed PAC structures.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L428-L467】/sid – Supplies the domain SID embedded in the PAC. Without it, mimikatz cannot populate group SIDs or user context, so provide the domain SID whenever you need a working PAC for authorization.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L460-L495】/id – Overrides the user RID (default 500). Adjust this to impersonate non-default accounts.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L468-L479】/groups – Comma-separated list of group RIDs to grant. Use this to mirror the group memberships of the impersonated account.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L470-L485】/sids – Additional SIDs to inject into the ticket (for resource-based constrained delegation or special privileges).【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L472-L489】/claims – Loads a claims set from the provided string and embeds it in the PAC. Helpful when testing conditional access policies that rely on device or user claims.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L474-L494】/rodc – Sets the RODC identifier so the KVNO aligns with a delegated krbtgt account. Use this when crafting tickets for environments with Read-Only Domain Controllers.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L476-L478】Service and target:
/service – Overrides the service component (defaults to krbtgt). Use this to mint silver tickets for a specific service.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L443-L524】/target – Sets the target domain or host FQDN in the service principal. Provide this when forging inter-realm tickets or service tickets for specific hosts.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L443-L524】Key material:
/rc4, /aes128, /aes256, /des, /krbtgt – Supply the hexadecimal krbtgt (or service) key and choose the matching encryption type. Pick the flag that matches the hash you have; otherwise the cryptosystem rejects the ticket.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L432-L449】Lifetime tuning:
/startoffset – Moves the ticket start time backwards by the specified minutes, helping to accommodate clock skew when deploying the ticket.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L451-L454】/endin – Sets ticket validity duration in minutes (default ~10 years). Shorten this for stealthier tickets or lengthen it for lab scenarios.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L455-L456】/renewmax – Controls the maximum renewable lifetime. Match production policies to avoid anomalies.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L457-L458】Output and delivery:
/ticket – Overrides the output filename (default ticket.kirbi). Use this to save multiple tickets without overwriting files.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L423-L525】/ptt – Injects the generated ticket immediately via the Pass-the-Ticket routine. Ideal when you want to start using the ticket without touching the filesystem.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L419-L538】Example output:
User : Administrator
Service : krbtgt/corp.example.com
[*] Ticket written to : corp_admin.kirbi
Example with immediate injection:
kerberos::golden /user:Administrator /domain:corp.example.com /sid:S-1-5-21-111-222-333-500 /rc4:112233... /ptt
Potential errors and troubleshooting:
ERROR kuhl_m_kerberos_golden with No SID specified – Provide /sid with the domain SID so mimikatz can populate the PAC.KRB_AP_ERR_BAD_INTEGRITY – The key material (for example /rc4) is wrong. Re-extract the krbtgt/service hash using lsadump::dcsync or other means./service and /target match the expected SPN (e.g., cifs/server) and that the KVNO matches the current krbtgt password (/rodc or /id may need adjustment).kerberos::hashCalculates Kerberos keys (RC4, AES128, AES256, and DES) for a given password and salt, using the appropriate string-to-key algorithms for NT5/NT6 systems.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L715-L761】
kerberos::hash /password:P@ssw0rd /user:USER /domain:CORP [/count:4096]
/password – The plaintext password to convert. Required to derive any key.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L724-L756】/user – Username used in the salt; needed because Kerberos string-to-key derives DES keys from password + user + domain.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L724-L756】/domain – Uppercase AD domain portion of the salt. Supply it to generate correct AES keys for domain accounts.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L724-L756】/count – PBKDF2 iteration count (default 4096). Adjust when you want to emulate different domain functional levels or test performance.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L721-L756】Example output:
RC4_HMAC : 8846f7eaee8fb117ad06bdd830b7586c
AES256_HMAC : 5f2f...c3d8
Potential errors and troubleshooting:
/password or /user – mimikatz prints usage information and aborts. Supply all required arguments./domain in uppercase.kerberos::decryptDecrypts an encoded ticket or encrypted blob using a provided key. Choose this when you have a krbtgt/service key and want to inspect the ticket contents offline.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L764-L827】
kerberos::decrypt /aes256:<hexkey> /in:ticket.kirbi [/out:decrypted.bin] [/offset:<bytes> /size:<bytes>]
/rc4, /aes128, /aes256, /des – Identify the encryption scheme and provide the matching key material in hexadecimal. Without a key the operation fails, so pick the flag that corresponds to the captured hash.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L772-L820】/in – Path to the encrypted blob. Mandatory because mimikatz reads ticket bytes from this file.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L796-L824】/out – Destination filename (defaults to out.kirbi). Override this to keep the decrypted data alongside the source.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L798-L814】/offset and /size – Limit decryption to a subsection of the input. Useful when only the ticket portion (not the full file) is encrypted.【F:mimikatz/modules/kerberos/kuhl_m_kerberos.c†L801-L813】Example output:
Decrypted data written to : decrypted.bin
Potential errors and troubleshooting:
ERROR kuhl_m_kerberos_decrypt with No key provided – You must supply one of /rc4, /aes128, /aes256, or /des containing the correct key.ERROR kull_m_file_readData – The input file path is invalid. Verify the filename and ensure the process has read permissions.kerberos::pacinfoParses a PAC file and prints each buffer—validation info, signatures, claims, and credentials. Use it to audit or troubleshoot PAC contents extracted from tickets.【F:mimikatz/modules/kerberos/kuhl_m_kerberos_pac.c†L252-L392】 The command expects a filename as its argument.
Example usage and output:
kerberos::pacinfo C:\temp\pac.bin
* PAC_INFO_BUFFER : LOGON_INFO
* PAC_INFO_BUFFER : CREDENTIALS
Potential errors and troubleshooting:
ERROR kull_m_file_readData – The PAC file path is wrong. Confirm the file exists and that mimikatz has permission to read it.ERROR kuhl_m_kerberos_pac_data – The blob is not a valid PAC. Re-extract the PAC (e.g., using kerberos::decrypt with the correct offsets) and ensure it is not compressed or truncated.kerberos::ptcLoads a MIT/Heimdal ccache file, converts each entry to a Kerberos credential, and injects it into the current session. Provide the ccache path as the positional argument whenever you need to reuse tickets captured on Unix-like systems.【F:mimikatz/modules/kerberos/kuhl_m_kerberos_ccache.c†L9-L124】
Example usage and output:
kerberos::ptc C:\temp\krb5cc_0
* Injected : HTTP/server.lab.local
Potential errors and troubleshooting:
ERROR kull_m_file_readData – The ccache file cannot be opened. Copy it to a local directory and confirm the path.ERROR kuhl_m_kerberos_ptc with CCache format not supported – The file is not in MIT/Heimdal ccache format (or is corrupted). Re-export the cache from the source machine using klist -e or kinit to produce a compatible file.kerberos::clistLists the tickets inside a ccache file and optionally exports each as a .kirbi file. Use /export when you want Windows-friendly credentials derived from cross-platform captures.【F:mimikatz/modules/kerberos/kuhl_m_kerberos_ccache.c†L9-L130】
kerberos::clist C:\temp\krb5cc_0 [/export]
/export – Saves each parsed ticket as a .kirbi file so it can be replayed with pass-the-ticket tooling on Windows.【F:mimikatz/modules/kerberos/kuhl_m_kerberos_ccache.c†L78-L130】Example output:
Realm : LAB.LOCAL
* Service : host/server.lab.local
Saved to : LAB.LOCAL_host_server.lab.local.kirbi
Potential errors and troubleshooting:
ERROR kull_m_file_readData – File not found. Confirm the ccache path.ERROR kuhl_m_kerberos_clist with Unsupported kvno – The cache entry uses a key version that mimikatz cannot parse. Update mimikatz to the latest build or export the cache in a different format.