CLI reference¶

Global options¶

Short	Long	Description
`-v`	`--verbose`	Verbosity level (-v verbose, -vv debug, -vvv trace)
`-d`	`--domain`	Domain name (required)
`-o`	`--output`	Write results to file
	`--stop-on-success`	Stop on first valid authentication
	`--delay`	Seconds to wait between attempts (default: 0)
	`--jitter`	Random jitter +/- seconds added to delay (default: 0)
	`--timeout`	Connection timeout in seconds; 0 for no timeout (default: 15)
	`--max-lockouts`	Stop after N consecutive revoked accounts (disabled/expired/locked); 0 to disable (default: 0)

NTLM options¶

Options

Short	Long	Description
	`--transport`	Transport protocol (default: smb)

User source (mutually exclusive)

Short	Long	Description
`-u`	`--user`	Single username
`-U`	`--users-file`	Username list file

Secret source (mutually exclusive)

Short	Long	Description
`-p`	`--password`	Single password
`-P`	`--passwords-file`	Password list file
`-H`	`--hashes-file`	Hash list file (NT hash or LM:NT pair per line)
	`--user-pass-file`	Colon-separated user:password file
	`--hash`	Single hash (NT or LM:NT format)
	`--user-hash-file`	Colon-separated user:hash file (NT or LM:NT)

Target

Short	Long	Description
	`--dc-ip`	Domain controller IP (required)

Kerberos options¶

Options

Short	Long	Description
	`--transport`	Transport protocol (default: udp)
`-e`	`--etype`	Encryption type for password auth and --user-key-file 32-hex disambiguation (default: rc4)

User source (mutually exclusive)

Short	Long	Description
`-u`	`--user`	Single username
`-U`	`--users-file`	Username list file

Secret source

Short	Long	Description
`-p`	`--password`	Single password
`-P`	`--passwords-file`	Password list file
	`--rc4-file`	RC4/NT hash list file
	`--aes128-file`	AES128 key list file
	`--aes256-file`	AES256 key list file
	`--rc4-key`	Single RC4/NT key (32 hex chars)
	`--aes128-key`	Single AES128 key (32 hex chars)
	`--aes256-key`	Single AES256 key (64 hex chars)
	`--ticket`	Ticket file containing TGT (.ccache or .kirbi)
	`--user-key-file`	Colon-separated user:key file — auto-detects RC4 (32 hex) vs AES256 (64 hex); use --etype aes128 to treat 32-hex keys as AES128

Target

Short	Long	Description
	`--kdc-ip`	KDC IP address (required)

Username enumeration options¶

Options

Short	Long	Description
	`--transport`	Transport protocol (default: udp)

User source (mutually exclusive)

Short	Long	Description
`-u`	`--user`	Single username
`-U`	`--users-file`	Username list file

Target

Short	Long	Description
	`--kdc-ip`	KDC IP address (required)

Full `--help` output¶

`credwolf`¶

usage: credwolf [-h] [-v] [--version] -d DOMAIN [-o OUTPUT_FILE]
                [--stop-on-success] [--delay DELAY] [--jitter JITTER]
                [--timeout TIMEOUT] [--max-lockouts MAX_LOCKOUTS]
                {ntlm,kerberos,userenum} ...

Credential validation tool for Active Directory Domain Services.

positional arguments:
  {ntlm,kerberos,userenum}
                        authentication protocol
    ntlm                NTLM credential validation (over SMB, LDAP, or LDAPS)
    kerberos            Kerberos credential validation (over UDP or TCP)
    userenum            Username enumeration via Kerberos (bare AS-REQ, no
                        login attempt)

options:
  -h, --help            show this help message and exit
  -v, --verbose         verbosity level (-v verbose, -vv debug, -vvv trace)
  --version             show program's version number and exit
  -d DOMAIN, --domain DOMAIN
                        domain name (required)
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        write results to file
  --stop-on-success     stop on first valid authentication
  --delay DELAY         seconds to wait between attempts (default: 0)
  --jitter JITTER       random jitter +/- seconds added to delay (default: 0)
  --timeout TIMEOUT     connection timeout in seconds; 0 for no timeout
                        (default: 15)
  --max-lockouts MAX_LOCKOUTS
                        stop after N consecutive revoked accounts
                        (disabled/expired/locked); 0 to disable (default: 0)

`credwolf ntlm`¶

usage: credwolf ntlm [-h] [-u USER | -U USERS_FILE]
                     [-p PASSWORD | -P PASSWORDS_FILE | -H HASHES_FILE | --user-pass-file USER_PASS_FILE | --hash HASH_VALUE | --user-hash-file USER_HASH_FILE]
                     --dc-ip DC_IP [--transport {smb,ldap,ldaps}]

options:
  -h, --help            show this help message and exit
  --transport {smb,ldap,ldaps}
                        transport protocol (default: smb)

user source (mutually exclusive):
  -u USER, --user USER  single username
  -U USERS_FILE, --users-file USERS_FILE
                        username list file

secret source (mutually exclusive):
  -p PASSWORD, --password PASSWORD
                        single password
  -P PASSWORDS_FILE, --passwords-file PASSWORDS_FILE
                        password list file
  -H HASHES_FILE, --hashes-file HASHES_FILE
                        hash list file (NT hash or LM:NT pair per line)
  --user-pass-file USER_PASS_FILE
                        colon-separated user:password file
  --hash HASH_VALUE     single hash (NT or LM:NT format)
  --user-hash-file USER_HASH_FILE
                        colon-separated user:hash file (NT or LM:NT)

target:
  --dc-ip DC_IP         domain controller IP (required)

`credwolf kerberos`¶

usage: credwolf kerberos [-h] [-u USER | -U USERS_FILE] [-p PASSWORD]
                         [-P PASSWORDS_FILE] [--rc4-file RC4_FILE]
                         [--aes128-file AES128_FILE]
                         [--aes256-file AES256_FILE] [--rc4-key RC4_KEY]
                         [--aes128-key AES128_KEY] [--aes256-key AES256_KEY]
                         [--ticket TICKET] [--user-key-file USER_KEY_FILE]
                         --kdc-ip KDC_IP [--transport {tcp,udp}]
                         [-e {rc4,aes128,aes256}]

options:
  -h, --help            show this help message and exit
  --transport {tcp,udp}
                        transport protocol (default: udp)
  -e {rc4,aes128,aes256}, --etype {rc4,aes128,aes256}
                        encryption type for password auth and --user-key-file
                        32-hex disambiguation (default: rc4)

user source (mutually exclusive):
  -u USER, --user USER  single username
  -U USERS_FILE, --users-file USERS_FILE
                        username list file

secret source:
  -p PASSWORD, --password PASSWORD
                        single password
  -P PASSWORDS_FILE, --passwords-file PASSWORDS_FILE
                        password list file
  --rc4-file RC4_FILE   RC4/NT hash list file
  --aes128-file AES128_FILE
                        AES128 key list file
  --aes256-file AES256_FILE
                        AES256 key list file
  --rc4-key RC4_KEY     single RC4/NT key (32 hex chars)
  --aes128-key AES128_KEY
                        single AES128 key (32 hex chars)
  --aes256-key AES256_KEY
                        single AES256 key (64 hex chars)
  --ticket TICKET       ticket file containing TGT (.ccache or .kirbi)
  --user-key-file USER_KEY_FILE
                        colon-separated user:key file — auto-detects RC4 (32
                        hex) vs AES256 (64 hex); use --etype aes128 to treat
                        32-hex keys as AES128

target:
  --kdc-ip KDC_IP       KDC IP address (required)

`credwolf userenum`¶

usage: credwolf userenum [-h] [-u USER | -U USERS_FILE] --kdc-ip KDC_IP
                         [--transport {tcp,udp}]

options:
  -h, --help            show this help message and exit
  --transport {tcp,udp}
                        transport protocol (default: udp)

user source (mutually exclusive):
  -u USER, --user USER  single username
  -U USERS_FILE, --users-file USERS_FILE
                        username list file

target:
  --kdc-ip KDC_IP       KDC IP address (required)

CLI reference¶

Global options¶

NTLM options¶

Kerberos options¶

Username enumeration options¶

Full --help output¶

credwolf¶

credwolf ntlm¶

credwolf kerberos¶

credwolf userenum¶

Full `--help` output¶

`credwolf`¶

`credwolf ntlm`¶

`credwolf kerberos`¶

`credwolf userenum`¶