diff --git a/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md b/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md
index 8d0ee05482c2..cffcb44c5ac9 100644
--- a/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md
+++ b/documentation/modules/auxiliary/scanner/kerberos/kerberos_login.md
@@ -3,7 +3,9 @@
 The `auxiliary/scanner/kerberos/kerberos_login` module can verify Kerberos credentials against a range of machines and
 report successful logins. If you have loaded a database plugin
 and connected to a database this module will record successful
-logins and hosts so you can track your access.
+logins and hosts so you can track your access. It will also
+store kerberos tickets that can be used even after the user's
+password has been changed.
 
 Kerberos accounts which do not require pre-authentication will
 have the TGT logged for offline cracking, this technique is known as AS-REP Roasting.
diff --git a/lib/msf/core/exploit/remote/kerberos/auth_brute.rb b/lib/msf/core/exploit/remote/kerberos/auth_brute.rb
index bd3a929e266f..8e33564565a6 100644
--- a/lib/msf/core/exploit/remote/kerberos/auth_brute.rb
+++ b/lib/msf/core/exploit/remote/kerberos/auth_brute.rb
@@ -75,6 +75,8 @@ def attempt_kerberos_logins
             print_good("#{peer} - User: #{format_user(user)} does not require preauthentication. Hash: #{hash}")
           else
             print_good("#{peer} - User found: #{format_user(user)} with password #{password}. Hash: #{hash}")
+            ccache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.from_responses(result.proof.as_rep, result.proof.decrypted_part)
+            Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ccache, host: rhost, framework_module: self)
           end
           report_cred(user: user, password: password, asrep: hash)
         else