Skip to main content

Overview

Renew existing Kerberos tickets to extend their validity period. This command allows you to refresh TGTs before they expire, maintaining persistent access without re-authentication.

Syntax

Rubeus.exe renew /ticket:TICKET [options]

Required Parameters

ticket
string
required
Base64-encoded ticket data or path to .kirbi file to renew

Optional Parameters

dc
string
Domain controller to contact for renewal
outfile
string
Save renewed ticket to file
ptt
boolean
Pass-the-ticket (inject renewed ticket)
autorenew
boolean
Automatically renew ticket until renew-till limit
nowrap
boolean
Don’t wrap base64 output

Examples

# Renew a TGT
Rubeus.exe renew /ticket:doIFuj... /ptt

# Renew from file and save
Rubeus.exe renew /ticket:C:\temp\ticket.kirbi /outfile:renewed.kirbi

# Renew without wrapping output
Rubeus.exe renew /ticket:ticket.kirbi /nowrap

Renewal Requirements

Renewable Flag:
  • Ticket must have the renewable flag set
  • Original ticket request must specify renewable option
  • Not all tickets are renewable by default
Validity Period:
  • Tickets can only be renewed within their renew-till time
  • Default domain policy: 7 days renewable period
  • Cannot renew expired tickets

Use Cases

Long-term Access:
  • Maintain access without re-authentication
  • Extend ticket lifetime for persistent operations
  • Avoid credential re-exposure
Operational Continuity:
  • Keep tickets valid during long engagements
  • Maintain session state across operations
  • Reduce authentication frequency
  • asktgt - Request renewable TGTs
  • ptt - Inject renewed tickets
  • describe - Check ticket renewable status