Realm override (--realm)

[StrongWind1]

What problem does this solve?

CredWolf currently derives the Kerberos realm by uppercasing the -d domain name. This works for standard Active Directory environments where the realm matches the DNS domain (e.g. -d evil.corp → realm EVIL.CORP). However, some environments have non-standard realm configurations:

• The Kerberos realm differs from the DNS domain (e.g. realm LEGACY.INTERNAL but DNS domain evil.corp)
• Cross-forest trust testing where the target realm is in a different forest
• Lab environments with manually configured realms

In these cases, CredWolf cannot construct valid Kerberos requests because the realm in the AS-REQ is wrong.

Proposed solution

Add a --realm <REALM> flag to the kerberos and userenum subcommands. When set, it overrides the realm derived from -d for all Kerberos operations:

credwolf -d evil.corp kerberos --kdc-ip 10.0.0.1 --realm LEGACY.INTERNAL -u admin -p Pass1

Implementation:

• --realm sets the realm used in AS-REQ req-body.realm and sname (krbtgt/REALM)
• -d continues to be used for DNS resolution and NTLM domain
• The realm should be stored as-is (no automatic uppercasing) to support edge cases, but a warning should be emitted if it contains lowercase characters since RFC 4120 recommends uppercase
• AES salt construction should use the --realm value instead of the uppercased domain

Alternatives considered

• Automatically detecting realm from DNS SRV records (_kerberos._tcp.domain) — adds complexity and network dependency
• Using -d with the realm value directly — breaks NTLM and DNS resolution