dump

The dump command provides comprehensive Kerberos ticket extraction capabilities from system memory, supporting both targeted and bulk harvesting operations across user sessions.

Memory Extraction

Extract tickets directly from LSA memory structures

Multi-Session Support

Access tickets across all user sessions when elevated

Flexible Filtering

Target specific users, services, or session IDs

Export Ready

Base64-encoded output ready for injection or analysis

Overview

Extract all current Kerberos tickets from memory on the local system. This command provides comprehensive ticket harvesting capabilities, extracting both TGTs and service tickets for offline analysis and reuse.

Basic Syntax
Targeted Extraction
Output Options

# Basic ticket extraction
Rubeus.exe dump

# With filtering options
Rubeus.exe dump [/luid:LUID] [/user:username] [/service:servicename] [/server:servername] [/nowrap]

Parameters

Hide Session Targeting

luid

string

Show Logon Session ID Details

Target specific logon session ID (requires elevation)Format: Hexadecimal value (e.g., 0x3e7, 0x12345)Use Cases:

Extract from specific user sessions
Target administrative sessions
Focus on service account sessions

Discovery: Use logonsession command to enumerate available LUIDs

Show Content Filtering

user

string

Show Username Filter Details

Filter tickets by username (case-insensitive)Examples:

administrator - Domain admin tickets
service_account - Service account tickets
DESKTOP-ABC123$ - Machine account tickets

Wildcards: Not supported - use exact username

service

string

Show Service Name Filter Details

Filter tickets by service name componentCommon Services:

krbtgt - Ticket Granting Tickets (TGTs)
cifs - File sharing services
http - Web services
ldap - Directory services
mssqlsvc - SQL Server services
host - Host-based services

Matching: Partial string matching supported

server

string

Show Server Name Filter Details

Filter tickets by target server nameExamples:

dc01.corp.local - Domain controller tickets
fileserver.corp.local - File server tickets
sql01 - Database server tickets

FQDN Support: Both short and fully qualified names

Show Output Formatting

nowrap

boolean

Show Base64 Output Formatting

Controls base64 encoding output formatDefault Behavior: Base64 output wrapped at 76 characters With /nowrap: Single-line base64 outputBenefits of /nowrap:

Easier copy/paste operations
Direct injection compatibility
Simplified scripting integration

Trade-offs: Less readable in terminal output

Basic Operations
Targeted Extraction
Server Targeting
Session Management

# Dump all tickets for current user
Rubeus.exe dump

# System-wide extraction (elevated)
Rubeus.exe dump

# Unwrapped output for injection
Rubeus.exe dump /nowrap

Standard User
Elevated Context
SYSTEM Context

Available Operations

Extract current user tickets
Access current LUID only
View authenticated services
Export for analysis

Limitations

No other user sessions
No cross-LUID access
No system tickets
Limited session scope

Typical Extraction Scope:

User’s TGT (krbtgt ticket)
Service tickets for accessed resources
Cached authentication tickets
Current session credentials only

Use Cases:

Personal credential analysis
Current session assessment
Individual ticket extraction
Basic reconnaissance

Ticket Granting Tickets
Service Tickets
Special Tickets

TGT Characteristics

Service Pattern: krbtgt/DOMAIN.COMProperties:

Domain authentication proof
Service ticket request capability
Renewable based on policy
Session-specific encryption

Attack Value

Capabilities:

Request any domain service
Enable lateral movement
Support golden ticket creation
Facilitate pass-the-ticket

Hide TGT Analysis Details

Encryption Information:

AES256/AES128 in modern environments
RC4 in legacy or downgraded scenarios
Key derived from user password/hash

Validity Periods:

Default: 10 hours (configurable)
Renewable: Up to 7 days (default)
Maximum lifetime: Domain policy dependent

Usage Patterns:

One TGT per authentication session
Automatically renewed by Windows
Cached until session termination

Output Structure
Ticket Metadata
Sample Output
Flag Analysis

Action Header

string

Indicates the operation being performedExamples:

[*] Action: Dump Kerberos tickets (Current User)
[*] Action: Dump Kerberos tickets (All Users)
[*] Action: Dump Kerberos tickets (LUID: 0x12345)

Current LUID

hex

Current process logon session identifierFormat: [*] Current LUID : 0x[hexvalue]Common Values:

0x3e7 - SYSTEM session
0x3e4 - NETWORK SERVICE
0x3e5 - LOCAL SERVICE

Session Information

object

Authentication Details:

UserName - Account name (user, computer, service)
Domain - Authentication domain
LogonId - Session identifier (matches LUID)
UserSID - Security identifier
AuthenticationPackage - Kerberos, NTLM, etc.
LogonType - Interactive, Service, Network, etc.
LogonTime - Session establishment time
LogonServer - Authenticating domain controller
LogonServerDNSDomain - Domain FQDN
UserPrincipalName - UPN if available

Encryption Analysis

Modern Encryption
Legacy Encryption

AES256

Type: 0x12 - AES256-CTS-HMAC-SHA1-96Characteristics:

Strongest available encryption
Default in modern domains
FIPS 140-2 compliant
Preferred for security

AES128

Type: 0x11 - AES128-CTS-HMAC-SHA1-96Characteristics:

Strong encryption standard
Widely supported
Good performance balance
Acceptable for most environments

Timing Analysis

Validity Period Assessment:

Compare start/end times for anomalies
Check for unusually long durations
Identify renewable vs. non-renewable tickets
Look for post-dated or future tickets

Renewal Patterns:

Standard TGT: 10 hours validity, 7 days renewable
Service tickets: 10 hours validity, not renewable
Anomalous patterns may indicate attacks

Principal Analysis

Service Principal Patterns:

krbtgt/* - Ticket Granting Tickets
cifs/* - File sharing access
host/* - General host services
http/* - Web service access
Custom SPNs for specialized services

Client Principal Assessment:

User accounts: username@DOMAIN
Machine accounts: COMPUTER$@DOMAIN
Service accounts: service@DOMAIN

Flag Interpretation

Hide Flag Analysis Matrix

Flag Value	Type	Delegation	Renewable	Forwardable	Risk Level
40a10000	Standard	No	Yes	Yes	Low
40e10000	Elevated	No	Yes	Yes	Medium
50a10000	Delegation	Yes	Yes	Yes	High
60a10000	Privileged	Advanced	Yes	Yes	Critical

Pass-the-Ticket
Intelligence Gathering
Persistence & Evasion

TGT Extraction & Reuse

# Extract all TGTs with clean output
Rubeus.exe dump /service:krbtgt /nowrap

# Extract from specific user session
Rubeus.exe dump /user:administrator /service:krbtgt /nowrap

# Extract from elevated session
Rubeus.exe dump /luid:0x12345 /service:krbtgt /nowrap

Service Ticket Reuse

# Extract specific service tickets
Rubeus.exe dump /service:cifs /server:fileserver.corp.local /nowrap
Rubeus.exe dump /service:http /server:web01.corp.local /nowrap
Rubeus.exe dump /service:ldap /server:dc01.corp.local /nowrap

Cross-Session Operations

Combine dump with session management for advanced scenarios

# Create new session context
Rubeus.exe createnetonly /program:cmd.exe

# Extract tickets from source session
Rubeus.exe dump /luid:0x[source] /nowrap

# Inject into new session
Rubeus.exe ptt /ticket:[BASE64] /luid:0x[target]

Detection Vectors
Evasion Strategies
Defensive Countermeasures

Rubeus dump operations can trigger multiple detection mechanisms

Hide API-Level Detection

Critical API Calls:

LsaCallAuthenticationPackage() - Primary ticket access
LsaEnumerateLogonSessions() - Session enumeration
LsaGetLogonSessionData() - Session information
OpenProcess() - Process access for elevation

Detection Signatures:

Non-LSASS processes calling LSA functions
Rapid sequence of authentication package calls
Cross-session ticket access patterns
Elevated privilege escalation attempts

Show Behavioral Analysis

Suspicious Patterns:

Bulk ticket extraction from multiple sessions
Enumeration of all logon sessions
Access to tickets outside normal scope
Extraction during off-hours or maintenance

Process Monitoring:

Parent-child process relationships
Command-line argument analysis
Network activity correlation
File system interaction patterns

Show Host-Based Indicators

System-Level Detection:

Memory access to LSA structures
Registry access patterns
Event log generation patterns
Anti-malware behavioral detection

Windows Event Logs:

Security log entries for logon sessions
Audit policy dependent events
Authentication package usage
Privilege use auditing

Access Issues
Data Issues
Output Issues

Privilege Problems

Symptoms:

“Access Denied” errors
Empty output despite tickets existing
LUID enumeration failures

Diagnosis:

# Check current privileges
whoami /priv

# Test with current user context
Rubeus.exe dump

# Verify LUID accessibility
Rubeus.exe logonsession

Solutions:

Run from elevated context
Use appropriate user session
Check process integrity level
Verify SeDebugPrivilege

Anti-Malware Interference

Common Indicators:

Process termination
API call blocking
Memory access failures
Behavioral detection alerts

Mitigation Approaches:

Use process exclusions
Implement custom obfuscation
Modify compilation parameters
Use alternative execution methods

Reconnaissance Phase

Initial Assessment:

# Quick ticket overview
Rubeus.exe triage

# Session enumeration
Rubeus.exe logonsession

# Current user tickets
Rubeus.exe klist

Target Identification:

Identify high-value sessions
Locate administrative accounts
Map available services
Assess delegation opportunities

Targeted Extraction

Strategic Harvesting:

# Extract valuable TGTs
Rubeus.exe dump /service:krbtgt /nowrap

# Service-specific extraction
Rubeus.exe dump /service:cifs /nowrap

# User-targeted operations
Rubeus.exe dump /user:administrator /nowrap

Documentation:

Record extraction timestamps
Note ticket validity periods
Document source sessions
Track service relationships

Analysis & Validation

Ticket Assessment:

# Detailed ticket analysis
Rubeus.exe describe /ticket:[base64]

# Encryption validation
# Flag interpretation
# Principal verification

Quality Control:

Verify ticket integrity
Check expiration times
Validate service principals
Assess encryption strength

Utilization & Testing

Ticket Injection:

# Inject extracted tickets
Rubeus.exe ptt /ticket:[base64]

# Verify injection success
Rubeus.exe klist

# Test access capabilities
dir \\target.domain.com\share

Operational Testing:

Validate service access
Test lateral movement
Confirm privilege levels
Document successful paths

Quick Enumeration

triage - Fast ticket overview and session mapping

Detailed Listing

klist - Comprehensive current ticket analysis

Ticket Analysis

describe - Deep ticket structure examination

Ticket Injection

ptt - Pass extracted tickets to sessions

Real-time Monitoring

monitor - Continuous ticket capture

Automated Collection

harvest - Systematic ticket harvesting

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Memory Extraction

Multi-Session Support

Flexible Filtering

Export Ready

Overview

Parameters

Available Operations

Limitations

TGT Characteristics

Attack Value

AES256

AES128

Quick Enumeration

Detailed Listing

Ticket Analysis

Ticket Injection

Real-time Monitoring

Automated Collection

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Memory Extraction

Multi-Session Support

Flexible Filtering

Export Ready

​Overview

​Parameters

Available Operations

Limitations

TGT Characteristics

Attack Value

AES256

AES128

Quick Enumeration

Detailed Listing

Ticket Analysis

Ticket Injection

Real-time Monitoring

Automated Collection

Overview

Parameters