Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The asktgs command exchanges an existing Ticket Granting Ticket (TGT) for one or more service tickets by sending a TGS-REQ to the domain controller. You can supply the TGT as a base64-encoded blob or a .kirbi file path. The command supports requesting multiple SPNs in a single invocation, User-to-User (U2U) authentication, Kerberos Key List Requests against read-only domain controllers, delegated Managed Service Account (dMSA) tickets, and cross-realm requests via /targetdomain.

Flag Reference

/ticket
string
required
The TGT to use for the TGS-REQ, supplied as either a base64-encoded .kirbi blob or a file path to a .kirbi file. This is the credential that will be presented to the KDC in exchange for service tickets.
/service
string
required
One or more SPNs to request service tickets for, comma-separated. Required unless /u2u is set. Examples: cifs/fileserver.corp.local, http/web.corp.local,ldap/dc01.corp.local.
/enctype
DES | RC4 | AES128 | AES256
Encryption type to request for the service ticket. Also accepts NTLM as an alias for RC4 and AES as an alias for AES256. When omitted, Rubeus lets the KDC select the encryption type based on the service account’s supported types.
/dc
string
Hostname or IP address of a specific domain controller to send the TGS-REQ to. Useful for cross-domain scenarios or when you need to target a particular site’s DC.
/outfile
string
Path to write the retrieved service ticket(s) as .kirbi file(s). If omitted, tickets are printed as base64 blobs to stdout.
/ptt
boolean
Pass the retrieved service ticket directly into the current logon session using LsaCallAuthenticationPackage. No file is written.
/nowrap
boolean
Suppress line-wrapping of base64 ticket blobs in console output. Useful when piping output to another tool.
/enterprise
boolean
Use enterprise principal name format (UPN-style, e.g. user@domain.com) for the SPN in the TGS-REQ. Required when targeting services by UPN rather than classic sname/host format.
/opsec
boolean
Request the service ticket in a way that avoids known detection indicators. In opsec mode, Rubeus restricts to AES encryption and adjusts request flags to blend with legitimate traffic.
/tgs
string
An additional TGS ticket (base64 or .kirbi path) to include in the TGS-REQ for U2U or constrained delegation flows. When /u2u is set, this ticket provides the session key needed for the user-to-user exchange.
/targetdomain
string
Override the domain used in the TGS-REQ realm field. Useful for cross-realm service ticket requests where the target service resides in a different domain than the TGT.
/u2u
boolean
Perform a User-to-User (U2U) TGS-REQ. In this mode, the service ticket is encrypted with the session key of the target user’s TGT (supplied via /tgs) rather than the service’s long-term key. The /service flag is optional when /u2u is set.
/targetuser
string
Add a PA-FOR-USER (S4U2Self) pre-authentication element to the TGS-REQ, specifying the user to impersonate. Used in protocol transition and dMSA ticket flows.
/servicekey
string
A password hash for the target service account. When supplied, Rubeus decrypts the returned service ticket inline and prints the ticket contents to console. Also triggers printing of forge-ready command arguments when used with /u2u or /printargs.
/asrepkey
string
The AS-REP session key hash. When supplied alongside /servicekey, Rubeus can fully decrypt and display the returned ticket’s authorization data.
/proxyurl
string
URL of a KDC proxy (MS-KKDCP) to relay the TGS-REQ through instead of contacting the DC directly on port 88. Example: /proxyurl:https://proxy.corp.local/kdcproxy.
/keyList
boolean
Perform a Kerberos Key List Request instead of a standard TGS-REQ. This requests long-term keys (credentials) from a read-only domain controller (RODC) by presenting a RODC-issued TGT. The /service SPN must be the krbtgt SPN for the target RODC.
/dmsa
boolean
Request a delegated Managed Service Account (dMSA) ticket. Combine with /opsec, /targetuser:DMSA_ACCOUNT$, and a krbtgt SPN. Requires a Windows Server 2025 domain controller.
/luid
string
Target a specific Logon Session (LUID) when retrieving the TGT from an existing session rather than supplying one via /ticket. Example: /luid:0x4b3c2.
/servicetype
string
Override the name type used for the service principal in the TGS-REQ. Defaults to srv_inst. Accepts any Kerberos name type string (e.g. srv_hst, principal).
/printargs
boolean
Print the forge-ready command-line arguments derived from the decrypted service ticket. Only active when /u2u is set or /servicekey is supplied, as those are the conditions under which Rubeus has access to the ticket’s plaintext contents.

Usage Examples

Rubeus.exe asktgs /ticket:doIFuj[...]== /service:cifs/fileserver.corp.local /ptt
Enable /opsec whenever operating against environments with AES-only service accounts or strict Kerberos monitoring. In opsec mode, Rubeus will not downgrade to RC4, which eliminates the KERB_ETYPE_RC4_HMAC_MD5 indicator that many SIEM rules and Microsoft Defender for Identity detections rely on.

Build docs developers (and LLMs) love