This script modifies the unencrypted realm part of a Kerberos ticket (passed as a kirbi file) using the impacket library

setKerbRealm.py

#!/usr/bin/env python
#
# This script modifies the unencrypted realm part of a Kerberos ticket (passed as a kirbi file) using the impacket library
#

from pyasn1.codec.der import decoder, encoder

from impacket.krb5.asn1 import KRB_CRED, Ticket, seq_set_iter
from impacket.krb5 import types

import argparse, sys

parser = argparse.ArgumentParser(add_help=True, description="Attempts to modify the realm part of a Kerberos ticket (kirbi) file")
parser.add_argument('-i', '--infile', required=True, help='input .kirbi ticket file')
parser.add_argument('-o', '--outfile', required=True, help='output .kirbi ticket file')
parser.add_argument('-r', '--realm', required=True, help='new realm to set')

if len(sys.argv) == 1:
    parser.print_help()
    sys.exit(1)

args = parser.parse_args()

print("[*] Loading and decoding ticket from %s" % args.infile)

f = open(args.infile, 'rb')
encodedKrbCred = f.read()
f.close()

krbCred = decoder.decode(encodedKrbCred, asn1Spec=KRB_CRED())[0]
ticket = types.Ticket()
ticket.from_asn1(krbCred['tickets'][0])

oldSPN = str(ticket.service_principal)
ticket.service_principal.realm = args.realm

print("[*] Changing SPN from %s to %s and hoping for the best..." % (oldSPN, ticket.service_principal))

seq_set_iter(krbCred, 'tickets', (ticket.to_asn1(Ticket()),))

# print(krbCred)

newEncodedKrbCred = encoder.encode(krbCred)

g = open(args.outfile, 'wb')
g.write(newEncodedKrbCred)
g.close()

print("[+] Encoded the modified ticket and dumped it to %s" % args.outfile)