Original text by jalvarezz13
Krb5RoastParser is an open-source Python tool created to simplify the extraction of Kerberos authentication hashes from captured network traffic. Instead of manually analyzing packets in Wireshark, the tool processes .pcap files and automatically identifies Kerberos authentication messages such as AS-REQ, AS-REP, and TGS-REP. Using tshark, the script parses these packets and reconstructs the relevant cryptographic data required to generate password-cracking hashes. The output is formatted to be directly compatible with tools such as Hashcat, enabling security researchers and penetration testers to perform offline password attacks as part of Kerberos-based assessments like Kerberoasting or AS-REP roasting. The project focuses on automating repetitive tasks typically performed during traffic analysis and red-team exercises, reducing the manual effort required to extract authentication artifacts from network captures. The tool currently supports several Kerberos hash formats and is designed to be extensible for additional output formats or cracking tools in the future. Overall, Krb5RoastParser streamlines the workflow of converting Kerberos packet captures into usable credential-cracking material during authorized security testing.
https://github.com/jalvarezz13/Krb5RoastParser
Krb5RoastParser: Automating Kerberos Hash Extraction from Network Traffic
Krb5RoastParser is an open-source Python tool designed to simplify the analysis of Kerberos authentication traffic captured in network packet files. The project focuses on extracting authentication data from PCAP captures and converting it into formats that can be used for password-cracking tools during security assessments and research.
What the tool does
During penetration tests or Active Directory security analysis, analysts often inspect Kerberos traffic captured with tools like tcpdump or Wireshark. Manually extracting the relevant fields required for Kerberos attacks—such as Kerberoasting or AS-REP roasting—can be time-consuming. Krb5RoastParser automates this process by parsing Kerberos protocol packets directly from .pcap files.
The tool analyzes authentication exchanges and extracts important messages including:
- AS-REQ (Authentication Service Request)
- AS-REP (Authentication Service Response)
- TGS-REP (Ticket Granting Service Response)
From these packets, the script reconstructs the cryptographic data necessary to generate password-cracking hashes compatible with tools like Hashcat.
Why it is useful
The main goal of Krb5RoastParser is to reduce manual work when analyzing Kerberos captures. Instead of manually navigating packet fields in Wireshark, researchers can automatically extract the relevant authentication data using a lightweight CLI tool.
This makes the workflow faster and more reproducible in:
- penetration testing labs
- Active Directory security assessments
- protocol analysis
- red-team exercises
The project is intentionally lightweight and extensible, allowing developers to expand support for additional hash formats or output structures in future versions.
Conclusion
Krb5RoastParser streamlines Kerberos traffic analysis by automatically extracting authentication artifacts from packet captures. By converting Kerberos protocol data into cracking-ready hashes, it helps security researchers and red-teamers quickly move from network capture analysis to credential attack workflows.