impacket-getst 命令

常用示例

说明

impacket-getst requests a Kerberos Service Ticket (ST) from an Active Directory domain controller and saves it as a ccache file. It supports standard ticket requests, S4U2Self/S4U2Proxy delegation attacks for user impersonation, and User-to-User authentication. This tool is commonly used in penetration testing for Kerberos delegation abuse (constrained delegation, resource-based constrained delegation) where an attacker with delegation privileges can impersonate any user to a target service. The resulting ccache file can be used with other tools via the KRB5CCNAME environment variable.

参数

-spn _SPN_

Service Principal Name (service/server) of the target service.

-altservice _SPN_

Set a new sname/SPN in the resulting ticket.

-impersonate _USER_

Target username to impersonate via S4U2Self. Requires delegation privileges.

-additional-ticket _FILE_

Include a forwardable service ticket in an S4U2Proxy request for RBCD + KCD.

-dmsa

Use Delegated Managed Service Accounts.

-u2u

Request a User-to-User ticket.

-self

Only perform S4U2Self, skip S4U2Proxy.

-force-forwardable

Force the S4U2Self service ticket to be forwardable.

-renew

Renew the TGT used for authentication.

-ts

Add timestamp to every logging output.

-debug

Turn DEBUG output on.

-hashes _LMHASH:NTHASH_

Use NTLM hashes for authentication instead of password.

-no-pass

Do not prompt for password (useful with -k).

-k

Use Kerberos authentication from ccache file (KRB5CCNAME).

-aesKey _KEY_

AES key for Kerberos authentication (128 or 256 bit).

-dc-ip _IP_

IP address of the domain controller.