skewrun – bypass Kerberos clock skew (KRB_AP_ERR_SKEW) without root or touching the system clock (Rust, v1.1.0)
I'm the author, sharing this here because it's a narrow, annoying problem most of us have hit on an engagement: the attack box's clock drifts from the DC's, Kerberos throws KRB_AP_ERR_SKEW, and the usual fix (ntpdate or rdate against the DC) needs root and clobbers your whole system clock, not just Kerberos. Other processes, logs, TLS all shift too, and on a VM the hypervisor often stomps your fix a few seconds later unless you also disable host time sync.
skewrun finds the DC's real time by talking to it directly (CLDAP, SMB, NTP, Kerberos, or NTLM), then wraps your target command with libfaketime via LD_PRELOAD, so only that process sees the corrected time. The machine's own clock never changes.
Since v0.9.0 it's split into a pure Rust library (ad-time) and a CLI (skewrun) built on top, so the protocol sources are usable standalone in other tooling.
One thing from this release that might be useful to others doing packet-level OPSEC work: the Kerberos AS-REQ till field isn't computed by Windows, it's a hardcoded constant (20370913024805Z, Sept 13 2037) since at least Server 2003, confirmed via a Heimdal KDC bug report with real captures and the leaked Windows Server 2003 source. Computing now + jitter instead of hardcoding that value is a detectable difference. Full writeup and two more similar decisions (SMB dialect list, CLDAP baseline) are in the repo's ADRs.
Install: cargo install skewrun (or a static musl binary in releases, no toolchain needed)
Repo: https://github.com/JVBotelho/skewrun
Feedback and issues welcome, especially if anyone has actually captured traffic to confirm or refute the till finding, that part's still on my list.