Skip to main content

Overview

Generate password hashes for various Kerberos encryption types from plaintext passwords. This utility command helps create the appropriate hash formats needed for other Rubeus operations.

Syntax

Rubeus.exe hash /password:PASSWORD [options]

Required Parameters

password
string
required
Plaintext password to hash

Optional Parameters

user
string
Username for salt generation (required for AES)
domain
string
Domain for salt generation (required for AES)

Examples

# Generate NTLM hash only
Rubeus.exe hash /password:Password123!

# Generate all hash types with user context
Rubeus.exe hash /password:MySecretPass /user:admin /domain:corp.local

# Service account hash generation
Rubeus.exe hash /password:ServicePass123 /user:svc_sql /domain:corp.local

Hash Types Generated

RC4/NTLM Hash:
  • Standard NTLM hash (MD4)
  • Most widely compatible
  • Default encryption for many environments
  • Used in RC4-HMAC Kerberos encryption
AES128-CTS-HMAC-SHA1-96:
  • Requires username and domain for salt
  • Stronger encryption than RC4
  • PBKDF2 with 4096 iterations
  • Modern Kerberos environments
AES256-CTS-HMAC-SHA1-96:
  • Highest security encryption type
  • Requires username and domain for salt
  • PBKDF2 with 4096 iterations
  • Preferred for high-security environments

Salt Generation

Salt Composition:
  • Domain name (uppercase) + username (as-typed)
  • Example: CORP.LOCALadmin
  • Case-sensitive for username portion
  • Required for AES hash generation
Examples:
# User: admin, Domain: corp.local
# Salt: CORP.LOCALadmin

# User: svc_sql, Domain: corp.local  
# Salt: CORP.LOCALsvc_sql

# User: TestUser, Domain: dev.corp.local
# Salt: DEV.CORP.LOCALTestUser

Use Cases

Attack Preparation:
  • Generate hashes for pass-the-hash attacks
  • Prepare credentials for ticket requests
  • Create hashes for golden/silver tickets
  • Support various authentication methods
Format Conversion:
  • Convert plaintext to required hash formats
  • Support different Kerberos encryption types
  • Prepare credentials for specific targets
  • Enable cross-environment compatibility

Integration Workflows

Complete Workflow:
# 1. Generate hashes from known password
Rubeus.exe hash /password:CompromisedPass123 /user:admin /domain:corp.local

# 2. Use generated RC4 hash for TGT request
Rubeus.exe asktgt /user:admin /rc4:generated_ntlm_hash

# 3. Use AES256 hash for stronger encryption
Rubeus.exe asktgt /user:admin /aes256:generated_aes256_hash
Multi-Format Operations:
# 1. Generate all hash types
Rubeus.exe hash /password:KnownPassword /user:serviceaccount /domain:corp.local

# 2. Use appropriate hash for target environment
# RC4 for legacy systems
Rubeus.exe golden /user:admin /domain:corp.local /sid:domain_sid /rc4:ntlm_hash

# AES256 for modern systems
Rubeus.exe golden /user:admin /domain:corp.local /sid:domain_sid /aes256:aes256_hash

Output Format

Example Output:
Rubeus.exe hash /password:Password123! /user:admin /domain:corp.local

[*] Action: Calculate Password Hash(es)

[*] Input password             : Password123!
[*] Input username             : admin
[*] Input domain               : corp.local
[*] Salt                       : CORP.LOCALadmin

[*]       rc4_hmac             : 32ed87bdb5fdc5e9cba88547376818d4
[*]       aes128_cts_hmac_sha1 : 5c8b89bde81d5216dfc4825ac6e63f84
[*]       aes256_cts_hmac_sha1 : 7b3e0c8f2a1d6e9c4b7a3f8e1c9d5a2b4e7c0f1a8d3b6e9c2f5a8b1d4e7c0a3

Security Considerations

Encryption Strength:
  • RC4: Weakest, widely supported
  • AES128: Good security, moderate compatibility
  • AES256: Strongest security, modern systems
Salt Importance:
  • AES hashes include user-specific salt
  • Prevents rainbow table attacks
  • Increases cracking difficulty
  • Domain and username case sensitivity matters
  • asktgt - Use generated hashes for authentication
  • golden - Use hashes for ticket forgery
  • silver - Use service account hashes
  • changepw - Change passwords to generate new hashes