Skip to main content
       ______        _
      (_____ \      | |
       _____) )_   _| |__  _____ _   _  ___
      |  __  /| | | |  _ \| ___ | | | |/___)
      | |  \ \| |_| | |_) ) ____| |_| |___ |
      |_|   |_|____/|____/|_____)____/(___/

      v2.3.3 - Kerberos Interaction Toolkit

What is Rubeus?

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It provides comprehensive functionality for Kerberos ticket manipulation, credential extraction, and advanced attack techniques against Active Directory environments.
Rubeus is heavily adapted from Benjamin Delpy’s Kekeo project and Vincent LE TOUX’s MakeMeEnterpriseAdmin project, with significant contributions from Charlie Clark, Ceri Coburn, and Elad Shamir.

Kerberos Authentication Flow & Rubeus Commands

The diagram below illustrates the complete Kerberos authentication process and shows where specific Rubeus commands interact with each step:

Command Categories Mapped to Kerberos Flow

  • Phase 1: Initial Auth
  • Phase 2: Service Tickets
  • Ticket Management
  • Advanced Attacks
TGT Acquisition Commands:
  • asktgt - Request TGT with various auth methods
  • brute - Password spray attacks
  • preauthscan - Find accounts without pre-auth
  • asreproast - Extract hashes from AS-REP responses
  • renew - Extend TGT validity

Key Capabilities

Ticket Operations

Request, renew, and manipulate Kerberos tickets

Credential Extraction

Extract and harvest Kerberos tickets from memory

Attack Techniques

Implement advanced Kerberos attacks and abuses

Ticket Forgery

Create golden, silver, and diamond tickets

Command Categories

Ticket Requests and Renewals

  • asktgt - Request Ticket Granting Tickets
  • asktgs - Request service tickets
  • renew - Renew existing tickets
  • brute - Kerberos password bruteforce
  • preauthscan - Scan for accounts without pre-authentication

Advanced Attack Techniques

  • s4u - S4U constrained delegation abuse
  • golden - Golden ticket attacks
  • silver - Silver ticket attacks
  • diamond - Diamond ticket attacks

Ticket Management

  • ptt - Pass-the-ticket operations
  • purge - Purge tickets from memory
  • describe - Analyze ticket contents
  • triage - Enumerate available tickets
  • klist - List current tickets
  • dump - Extract ticket data
  • monitor - Monitor for new tickets
  • harvest - Automated ticket harvesting

Attack Methodology

1

Reconnaissance

Use preauthscan to identify accounts without pre-authentication requirements
2

Credential Attacks

Perform kerberoast or asreproast to extract crackable hashes
3

Ticket Acquisition

Use asktgt with compromised credentials to obtain valid tickets
4

Lateral Movement

Leverage s4u delegation abuse or ptt for lateral movement
5

Persistence

Create golden or silver tickets for persistent access

Operational Security Considerations

Rubeus operations can be detected through various means including network monitoring, host-based detection, and domain controller logging.
Host-Based Detection:
  • Non-lsass.exe processes issuing Kerberos traffic
  • Use of sensitive APIs like LsaCallAuthenticationPackage()
  • Abnormal ticket types (e.g., RC4 in AES environments)
Network Detection:
  • Raw Kerberos port 88 traffic patterns
  • Encryption downgrade indicators
  • Unusual authentication request patterns
Domain Controller Logs:
  • RC4_HMAC usage in modern environments
  • Abnormal ticket request patterns
  • Authentication anomalies
Minimize Detection:
  • Use AES encryption when possible (/opsec flag)
  • Implement appropriate delays between operations
  • Blend with normal authentication patterns
Weaponization Considerations:
  • Avoid running from disk when possible
  • Consider in-memory execution methods
  • Be aware of AMSI and PowerShell protections

Technical Background

Rubeus implements raw Kerberos protocol interactions, allowing for:
  • Direct manipulation of authentication flows
  • Bypass of normal Windows authentication mechanisms
  • Implementation of attack techniques not possible through standard APIs
Uses custom ASN.1 parsing for:
  • Ticket structure manipulation
  • Custom PAC construction
  • Advanced ticket forgery capabilities

Prerequisites

  • .NET Framework 3.5+ or .NET Core
  • Active Directory environment
  • Domain connectivity for most operations
  • Standard User: Basic ticket operations, roasting attacks
  • Elevated User: Ticket extraction, memory operations
  • SYSTEM: Full ticket harvesting capabilities

Common Use Cases

Red Team Operations

Credential harvesting, lateral movement, and persistence establishment

Penetration Testing

Kerberos security assessment and vulnerability validation

Security Research

Kerberos protocol analysis and attack technique development

Incident Response

Understanding and analyzing Kerberos-based attacks

Next Steps

Getting Started

Compile and configure Rubeus for your environment

Basic Commands

Start with basic ticket request operations

Attack Techniques

Learn advanced attack methodologies