You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Protocol internals, security configuration, and attack techniques for Kerberos in Active Directory.
Quick start
RC4 enforcement starts April 2026. Accounts without msDS-SupportedEncryptionTypes explicitly set will stop getting RC4 tickets. July 2026 makes it permanent with no rollback. The fix is two settings: msDS-SupportedEncryptionTypes = 24 on every SPN-bearing account, and DefaultDomainSupportedEncTypes = 24 on every DC.
Not sure where your domain stands? The Quick Start Guide covers what you need to know in 5 minutes. Ready to run the migration? Go straight to the Standardization Guide.
Protocol
How Kerberos actually works in Active Directory. Wire protocol, ticket structures, key derivation, grounded in RFC 4120 and the MS-KILE spec.
Unconstrained, constrained, and resource-based constrained delegation
Security
The RC4 deprecation deadline is April 2026 with permanent enforcement in July. This section covers how to audit your domain, what to configure, and how to migrate before it matters.
Delegation redirect by moving SPNs between accounts
Development
git clone https://github.com/StrongWind1/Kerberos.git
cd Kerberos
uv sync --group docs # install dependencies
uv run --group docs mkdocs serve # live preview at http://127.0.0.1:8000
uv run --group docs mkdocs build --strict # full build with link checking
Related tools
Other projects in this collection:
AD-SecretGen - derive AD password hashes and Kerberos keys from a password
NTDSWolf - offline NTDS.dit parser and credential extractor
KerbWolf - Kerberos roasting and hash extraction toolkit
Disclaimer
This material documents Kerberos attack techniques for authorized security testing, research, and education only. You must have explicit written permission before testing any technique against systems you do not own. Unauthorized access to computer systems is illegal.