Rubeus v1.4.2 releases: C# toolset for raw Kerberos interaction and abuses

Rubeus

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy‘s Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX‘s MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work, this project would not exist.

Rubeus also uses a C# ASN.1 parsing/encoding library from Thomas Pornin named DDer that was released with an “MIT-like” license. Huge thanks to Thomas for his clean and stable code!

The KerberosRequestorSecurityToken.GetRequest method for Kerberoasting was contributed to PowerView by @machosec.

Changelog

[1.4.2] – 2019-03-01

Added

  • tgssub action
    • Substitutes in alternate sname (cifs) or SPN (ldap/computer.domain.com) into an existing service ticket

Usage

Rubeus

Retrieve a TGT based on a user hash, optionally applying to the current logon session or a specific LUID:

Rubeus.exe asktgt /user:USER </rc4:HASH | /aes256:HASH> [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ptt] [/luid]

 

 

 

 

 

 

 

 

Retrieve a TGT based on a user hash, start a /netonly process, and to apply the ticket to the new process/logon session:

Rubeus.exe asktgt /user:USER </rc4:HASH | /aes256:HASH> /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER]

 

 

 

 

 

 

 

 

Renew a TGT, optionally appling the ticket or auto-renewing the ticket up to its renew-till limit:

Rubeus.exe renew </ticket:BASE64 | /ticket:FILE.KIRBI> [/dc:DOMAIN_CONTROLLER] [/ptt] [/autorenew]

 

 

 

 

 

 

 

 

Reset a user’s password from a supplied TGT (AoratoPw):

Rubeus.exe changepw </ticket:BASE64 | /ticket:FILE.KIRBI> /new:PASSWORD [/dc:DOMAIN_CONTROLLER]

 

 

 

 

 

 

 

 

Retrieve a service ticket for one or more SPNs, optionally applying the ticket:

Rubeus.exe asktgs </ticket:BASE64 | /ticket:FILE.KIRBI> </service:SPN1,SPN2,...> [/dc:DOMAIN_CONTROLLER] [/ptt]

 

 

 

 

 

 

 

 

Perform S4U constrained delegation abuse:

Rubeus.exe s4u </ticket:BASE64 | /ticket:FILE.KIRBI> /impersonateuser:USER /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/ptt]
Rubeus.exe s4u /user:USER </rc4:HASH | /aes256:HASH> [/domain:DOMAIN] /impersonateuser:USER /msdsspn:SERVICE/SERVER [/altservice:cifs,HOST,...] [/dc:DOMAIN_CONTROLLER] [/ptt]

 

 

 

 

 

 

 

 

Submit a TGT, optionally targeting a specific LUID (if elevated):

Rubeus.exe ptt </ticket:BASE64 | /ticket:FILE.KIRBI> [/luid:LOGINID]

 

 

 

 

 

 

 

 

Purge tickets from the current logon session, optionally targeting a specific LUID (if elevated):

Rubeus.exe purge [/luid:LOGINID]

 

 

 

 

 

 

 

 

Parse and describe a ticket (service ticket or TGT):

Rubeus.exe describe </ticket:BASE64 | /ticket:FILE.KIRBI>

 

 

 

 

 

 

 

 

Create a hidden program (unless /show is passed) with random /netonly credentials, displaying the PID and LUID:

Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" [/show]

 

 

 

 

 

 

 

 

Perform Kerberoasting:

Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/ou:"OU,..."]

 

 

 

 

 

 

 

 

Perform Kerberoasting with alternate credentials:

Rubeus.exe kerberoast /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD [/spn:"blah/blah"] [/user:USER] [/ou:"OU,..."]

 

 

 

 

 

 

 

 

Perform AS-REP “roasting” for users without preauth:

Rubeus.exe asreproast /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER]

 

 

 

 

 

 

 

 

Dump all current ticket data (if elevated, dump for all users), optionally targeting a specific service/LUID:

Rubeus.exe dump [/service:SERVICE] [/luid:LOGINID]

 

 

 

 

 

 

 

 

Retrieve a usable TGT .kirbi for the current user (w/ session key) without elevation by abusing the Kerberos GSS-API, faking delegation:

Rubeus.exe tgtdeleg [/target:SPN]

 

 

 

 

 

 

 

 

Monitor every SECONDS (default 60 seconds) for 4624 logon events and dump any TGT data for new logon sessions:

Rubeus.exe monitor [/interval:SECONDS] [/filteruser:USER]

 

 

 

 

 

 

 

 

Monitor every MINUTES (default 60 minutes) for 4624 logon events, dump any new TGT data, and auto-renew TGTs that are about to expire:

Rubeus.exe harvest [/interval:MINUTES]

 

 

 

 

 

 

 

 

More

Download

Copyright (c) 2018, Will Schroeder
All rights reserved.

Share