Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Renew existing Kerberos tickets to extend their validity period. This command allows you to refresh TGTs before they expire, maintaining persistent access without re-authentication.

Syntax

Rubeus.exe renew /ticket:TICKET [options]

Required Parameters

ticket
string
required
Base64-encoded ticket data or path to .kirbi file to renew

Optional Parameters

dc
string
Domain controller to contact for renewal
outfile
string
Save renewed ticket to file
ptt
boolean
Pass-the-ticket (inject renewed ticket)
autorenew
boolean
Automatically renew ticket until renew-till limit
nowrap
boolean
Don’t wrap base64 output

Examples

# Renew a TGT
Rubeus.exe renew /ticket:doIFuj... /ptt

# Renew from file and save
Rubeus.exe renew /ticket:C:\temp\ticket.kirbi /outfile:renewed.kirbi

# Renew without wrapping output
Rubeus.exe renew /ticket:ticket.kirbi /nowrap

Renewal Requirements

Renewable Flag:
  • Ticket must have the renewable flag set
  • Original ticket request must specify renewable option
  • Not all tickets are renewable by default
Validity Period:
  • Tickets can only be renewed within their renew-till time
  • Default domain policy: 7 days renewable period
  • Cannot renew expired tickets

Use Cases

Long-term Access:
  • Maintain access without re-authentication
  • Extend ticket lifetime for persistent operations
  • Avoid credential re-exposure
Operational Continuity:
  • Keep tickets valid during long engagements
  • Maintain session state across operations
  • Reduce authentication frequency
  • asktgt - Request renewable TGTs
  • ptt - Inject renewed tickets
  • describe - Check ticket renewable status