Skip to main content

Overview

Convert AS-REP (Authentication Server Reply) responses to .kirbi ticket format. This utility command processes AS-REP data extracted from network captures or other sources into usable Kerberos ticket files.

Syntax

Rubeus.exe asrep2kirbi /asrep:ASREP_DATA [options]

Required Parameters

asrep
string
required
Base64-encoded AS-REP response data

Optional Parameters

outfile
string
Save converted ticket to file
ptt
boolean
Pass-the-ticket (inject converted ticket)

Examples

# Convert AS-REP to kirbi format
Rubeus.exe asrep2kirbi /asrep:base64_asrep_data

# Convert and save to file
Rubeus.exe asrep2kirbi /asrep:asrep_data /outfile:converted.kirbi

# Convert and inject immediately
Rubeus.exe asrep2kirbi /asrep:asrep_data /ptt

AS-REP Data Sources

Network Captures:
  • Wireshark/tcpdump packet captures
  • AS-REP responses from KDC communications
  • Extracted from authentication exchanges
  • Base64-encoded packet data
Memory Dumps:
  • Process memory containing AS-REP responses
  • Cached authentication data
  • LSA memory structures
  • Application memory buffers
Log Analysis:
  • Authentication logs with embedded data
  • Debug logs from Kerberos implementations
  • Application logs with authentication details
  • Security event log analysis

Use Cases

Data Conversion:
  • Convert captured AS-REP data to usable tickets
  • Process authentication data from various sources
  • Create .kirbi files from raw Kerberos data
  • Enable ticket analysis and manipulation
Forensic Analysis:
  • Analyze captured authentication exchanges
  • Reconstruct ticket data from fragments
  • Process historical authentication data
  • Support incident response activities

Integration Workflows

Complete Workflow:
# 1. Capture AS-REP from network traffic
# Use Wireshark, tcpdump, or other packet capture tools

# 2. Extract AS-REP data as base64
# Process packet capture to extract AS-REP portion

# 3. Convert to .kirbi format
Rubeus.exe asrep2kirbi /asrep:captured_asrep_data /outfile:recovered.kirbi

# 4. Use recovered ticket
Rubeus.exe ptt /ticket:recovered.kirbi
Memory-Based Recovery:
# 1. Extract AS-REP data from memory dumps
# Use memory analysis tools to locate AS-REP structures

# 2. Convert extracted data
Rubeus.exe asrep2kirbi /asrep:memory_extracted_data

# 3. Analyze converted ticket
Rubeus.exe describe /ticket:converted.kirbi

Technical Considerations

Response Components:
  • KDC certificate information
  • Encrypted TGT data
  • Session key information
  • Client and server principal names
  • Ticket validity periods
Conversion Process:
  • Parse AS-REP ASN.1 structure
  • Extract TGT components
  • Reconstruct .kirbi format
  • Maintain ticket integrity

Data Validation

Verification Steps:
  • Validate AS-REP structure integrity
  • Check encryption and encoding
  • Verify ticket component completeness
  • Test converted ticket functionality
Error Handling:
  • Malformed AS-REP data
  • Incomplete packet captures
  • Encoding issues
  • Structural corruption
  • asreproast - Generate AS-REP data for conversion
  • describe - Analyze converted tickets
  • ptt - Use converted tickets
  • kirbi - Alternative ticket format operations