TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
asktgs command exchanges an existing Ticket Granting Ticket (TGT) for one or more service tickets by sending a TGS-REQ to the domain controller. You can supply the TGT as a base64-encoded blob or a .kirbi file path. The command supports requesting multiple SPNs in a single invocation, User-to-User (U2U) authentication, Kerberos Key List Requests against read-only domain controllers, delegated Managed Service Account (dMSA) tickets, and cross-realm requests via /targetdomain.
Flag Reference
The TGT to use for the TGS-REQ, supplied as either a base64-encoded
.kirbi blob or a file path to a .kirbi file. This is the credential that will be presented to the KDC in exchange for service tickets.One or more SPNs to request service tickets for, comma-separated. Required unless
/u2u is set. Examples: cifs/fileserver.corp.local, http/web.corp.local,ldap/dc01.corp.local.Encryption type to request for the service ticket. Also accepts
NTLM as an alias for RC4 and AES as an alias for AES256. When omitted, Rubeus lets the KDC select the encryption type based on the service account’s supported types.Hostname or IP address of a specific domain controller to send the TGS-REQ to. Useful for cross-domain scenarios or when you need to target a particular site’s DC.
Path to write the retrieved service ticket(s) as
.kirbi file(s). If omitted, tickets are printed as base64 blobs to stdout.Pass the retrieved service ticket directly into the current logon session using
LsaCallAuthenticationPackage. No file is written.Suppress line-wrapping of base64 ticket blobs in console output. Useful when piping output to another tool.
Use enterprise principal name format (UPN-style, e.g.
user@domain.com) for the SPN in the TGS-REQ. Required when targeting services by UPN rather than classic sname/host format.Request the service ticket in a way that avoids known detection indicators. In opsec mode, Rubeus restricts to AES encryption and adjusts request flags to blend with legitimate traffic.
An additional TGS ticket (base64 or
.kirbi path) to include in the TGS-REQ for U2U or constrained delegation flows. When /u2u is set, this ticket provides the session key needed for the user-to-user exchange.Override the domain used in the TGS-REQ realm field. Useful for cross-realm service ticket requests where the target service resides in a different domain than the TGT.
Perform a User-to-User (U2U) TGS-REQ. In this mode, the service ticket is encrypted with the session key of the target user’s TGT (supplied via
/tgs) rather than the service’s long-term key. The /service flag is optional when /u2u is set.Add a
PA-FOR-USER (S4U2Self) pre-authentication element to the TGS-REQ, specifying the user to impersonate. Used in protocol transition and dMSA ticket flows.A password hash for the target service account. When supplied, Rubeus decrypts the returned service ticket inline and prints the ticket contents to console. Also triggers printing of forge-ready command arguments when used with
/u2u or /printargs.The AS-REP session key hash. When supplied alongside
/servicekey, Rubeus can fully decrypt and display the returned ticket’s authorization data.URL of a KDC proxy (MS-KKDCP) to relay the TGS-REQ through instead of contacting the DC directly on port 88. Example:
/proxyurl:https://proxy.corp.local/kdcproxy.Perform a Kerberos Key List Request instead of a standard TGS-REQ. This requests long-term keys (credentials) from a read-only domain controller (RODC) by presenting a RODC-issued TGT. The
/service SPN must be the krbtgt SPN for the target RODC.Request a delegated Managed Service Account (dMSA) ticket. Combine with
/opsec, /targetuser:DMSA_ACCOUNT$, and a krbtgt SPN. Requires a Windows Server 2025 domain controller.Target a specific Logon Session (LUID) when retrieving the TGT from an existing session rather than supplying one via
/ticket. Example: /luid:0x4b3c2.Override the name type used for the service principal in the TGS-REQ. Defaults to
srv_inst. Accepts any Kerberos name type string (e.g. srv_hst, principal).Print the forge-ready command-line arguments derived from the decrypted service ticket. Only active when
/u2u is set or /servicekey is supplied, as those are the conditions under which Rubeus has access to the ticket’s plaintext contents.