Kerberos probe

The Kerberos probe communicates directly with a Key Distribution Center (KDC) using a hand-rolled RFC 4120 implementation — no GSSAPI or third-party Kerberos library. It supports three distinct operations: credential validation, AS-REP Roasting for offline cracking, and Kerberoasting for service account enumeration.

Kerberos probe editor — connection settings and operation selector

Connection settings

Field	Description
KDC Host	Hostname or IP of the Key Distribution Center
Port	KDC port (default: `88`)
Realm	Kerberos realm in uppercase (e.g. `LAB.LOCAL`, `CORP.EXAMPLE.COM`)
UDP	Use UDP transport (default: on). The probe automatically falls back to TCP when the server sets the Truncation bit or returns an error.

Operations

Choose the operation with the Operation toggle. Fields shown adapt to the selected mode.

Authenticate (AS_REQ)

Validates a username and password by sending an AS-REQ with PA-ENC-TIMESTAMP pre-authentication. The timestamp is encrypted with the NT hash derived from the password using RC4-HMAC-MD5.

Response	Meaning
OK	KDC returned AS-REP — credentials are valid
FAIL + KDC_ERR_PREAUTH_FAILED (24)	Wrong password
FAIL + KDC_ERR_C_PRINCIPAL_UNKNOWN (6)	Username does not exist
FAIL + KRB_AP_ERR_SKEW (37)	Clock skew too large (> 5 minutes)

AS-REP Roast

Sends an AS-REQ without pre-authentication for the specified username. If the account has DONT_REQUIRE_PREAUTH set (common on service accounts), the KDC responds with an AS-REP whose encrypted part can be cracked offline.

No password is required — only the username.

The response includes the hash in hashcat format ready for mode 18200 ($krb5asrep$23$):

$krb5asrep$23$jdoe@LAB.LOCAL:a1b2c3...16hex...$rest...

Copy the hash and run:

hashcat -m 18200 hash.txt wordlist.txt

Kerberoast

Authenticates with the provided credentials, obtains a TGT, then requests a service ticket for the specified SPN. The service ticket’s encrypted part is decryptable offline using the service account’s password hash.

Field	Description
Username	Account with valid credentials to authenticate as
Password	Password for the authenticating account
SPN	Service Principal Name to request a ticket for (e.g. `HTTP/web.lab.local`, `MSSQLSvc/db.lab.local:1433`)

The response includes the hash in hashcat format ready for mode 13100 ($krb5tgs$23$):

$krb5tgs$23$*svc_iis*LAB.LOCAL*HTTP/web.lab.local*$a1b2c3...16hex...$rest...

Copy the hash and run:

hashcat -m 13100 hash.txt wordlist.txt

Kerberos probe response — Kerberoast hash in copyable card with hashcat mode label

Response panel

Status bar

Shows OK or FAIL chip, the KDC error code and message if the request failed, and the encryption type reported by the KDC (e.g. etype 23 (RC4-HMAC)).

Hashcat hash card

For roasting operations, the hash is displayed in a copyable card with the appropriate hashcat mode label (-m 18200 or -m 13100). Click Copy to copy the full hash to the clipboard.

Exchanges

The Exchanges panel lists each KDC message pair (AS-REQ / AS-REP, TGS-REQ / TGS-REP). Expand to inspect the raw hex of the request and response. Useful for verifying the exact bytes sent — the probe writes raw DER-encoded Kerberos messages and does not normalise them through a library.

Variable substitution

{{variable}} placeholders are supported in host, realm, username, password, and SPN fields.

History

The history panel shows the overall success/fail status and the realm/username for each past execution. Click any entry to restore the full response including the hashcat hash.

Implementation notes

The probe implements RFC 4120 (Kerberos V5) and RFC 4757 (RC4-HMAC-MD5 encryption) from scratch:

ASN.1 DER: hand-rolled encoder and Cursor-based decoder; no external ASN.1 library
RC4-HMAC-MD5: MD4 NT hash → K1/K2/K3 key derivation → RC4 stream cipher → HMAC-MD5 checksum
Transport: UDP with automatic TCP fallback (4-byte length prefix per RFC 4120 §7.2.2)
Encryption type 23 (ETYPE_RC4_HMAC) is used for pre-authentication and ticket encryption — the type cracked by hashcat modes 18200 and 13100