Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The asktgt command sends an AS-REQ to the domain controller and retrieves a Ticket Granting Ticket (TGT) for the specified user. You can authenticate with a plaintext password, an NTLM/AES hash, or a PKCS12 certificate (PKINIT). The resulting TGT can be written to a .kirbi file, passed directly into the current logon session with /ptt, or injected into a newly created sacrificial process spawned with /createnetonly.

Flag Reference

/user
string
required
The username to request a TGT for. Accepts USER or DOMAIN\USER format. If a domain is embedded in the value, it overrides any /domain argument.
/password
string
Plaintext password for the target user. When supplied, hash derivation is deferred until after any pre-auth exchange so that the KDC-supplied salt can be used.
/enctype
DES | RC4 | AES128 | AES256
Encryption type to request in the AS-REQ. Defaults to RC4 when no /enctype flag and no hash flag is given. Also accepts NTLM as an alias for RC4, and AES as an alias for AES256.
/des
string
DES hash (des_cbc_md5) to use for authentication. Sets /enctype to DES automatically.
/rc4
string
RC4/NTLM hash to use for authentication. Sets /enctype to RC4 automatically.
/ntlm
string
NTLM hash to use for authentication. Alias for /rc4 — sets /enctype to RC4 automatically.
/aes128
string
AES-128 hash to use for authentication. Sets /enctype to AES128 automatically.
/aes256
string
AES-256 hash to use for authentication. Sets /enctype to AES256 automatically.
/certificate
string
Path to a PKCS12/PFX certificate file, or a certificate thumbprint (or subject string) to locate a certificate in the current user’s key store. Used for PKINIT-based TGT requests. Combine with /password to supply the PFX store password.
/domain
string
The fully-qualified domain name to authenticate against. If omitted, Rubeus resolves the current machine’s joined domain automatically.
/dc
string
Hostname or IP address of a specific domain controller to send the AS-REQ to. Useful when the default DC is unreachable or you need to target a specific site.
/outfile
string
Path to write the retrieved TGT as a .kirbi file. If omitted, the ticket is printed as a base64 blob to stdout.
/ptt
boolean
Pass the ticket directly into the current logon session using LsaCallAuthenticationPackage. No file is written. Requires the process to be running as the user whose session will receive the ticket, or with elevated privileges for a specific /luid.
/luid
string
Target a specific Logon Session (LUID) when injecting tickets with /ptt or when working with /createnetonly. Requires high integrity. Example: /luid:0x4b3c2.
/nowrap
boolean
Suppress line-wrapping of the base64 ticket blob in console output. Useful when piping output to another tool or when copying the ticket programmatically.
/opsec
boolean
Request the TGT in a manner that avoids RC4 downgrade indicators by requiring AES256 encryption. Rubeus will refuse to proceed unless /enctype:AES256 (or an /aes256 hash) is also supplied, unless /force is added to override.
/force
boolean
Override the AES256 enforcement that /opsec applies. When both /opsec and /force are set, Rubeus will send the AS-REQ with a non-AES256 encryption type even though opsec mode is active.
/nopac
boolean
Include a PA-PAC-REQUEST pre-authentication element set to FALSE, asking the KDC to omit the PAC from the issued TGT. Useful for testing PAC-less Kerberos flows.
/oldsam
string
Supply a legacy sAMAccountName value for password-based requests when the account’s current name differs from the name used to derive the key. Passed through to the TGTWithPassword call.
/nopreauth
boolean
Send an AS-REQ without pre-authentication data. The KDC will respond with a KRB_ERROR or an unencrypted AS-REP for accounts that do not require pre-auth (AS-REP Roasting targets). No hash or password is required when this flag is set.
/changepw
boolean
Request a TGT with the change-password service flag set (for the kadmin/changepw service). Used in Kerberos-based password reset flows (AoratoPw / changepw command).
/getcredentials
boolean
When using PKINIT (/certificate), attempt to retrieve the NT hash and AES keys from the PKINIT AS-REP using the PA-PK-AS-REP shadow credential response. Only meaningful against DCs that support this extension.
/servicekey
string
A service key hash (the krbtgt long-term key) used to decrypt and display the EncTicketPart of the returned TGT inline. Useful for verifying ticket contents without a separate describe call.
/show
boolean
When combined with /createnetonly, makes the spawned sacrificial process visible (window shown) rather than hidden. Has no effect without /createnetonly.
/createnetonly
string
Path to an executable to spawn as a new LOGON32_LOGON_NETWORK_ONLY process. The TGT is injected into the new process’s logon session rather than the current one. Requires high integrity. Example: /createnetonly:C:\Windows\System32\cmd.exe.
/proxyurl
string
URL of a KDC proxy (MS-KKDCP) to relay the AS-REQ through instead of contacting the DC directly over port 88. Example: /proxyurl:https://proxy.corp.local/kdcproxy.
/suppenctype
DES | RC4 | AES128 | AES256
Supplemental encryption type to advertise in the AS-REQ etype list, in addition to the primary encryption type selected by /enctype or a hash flag. Defaults to the same value as the primary encryption type when not specified.
/principaltype
string
Name type for the client principal in the AS-REQ. Valid values are principal (default), enterprise, x500, srv_xhost, srv_host, and srv_inst. Use enterprise for UPN-style names (user@domain.com).
/service
string
Request a service ticket directly via an AS-REQ (rather than a TGT) by specifying a target SPN. This produces an AS-REQ-based service ticket rather than going through the normal TGT → TGS flow.
/verifychain
boolean
When using PKINIT (/certificate), verify the entire certificate chain up to the root CA in addition to the leaf certificate. Alias for /verifycerts.
/verifycerts
boolean
When using PKINIT (/certificate), verify the entire certificate chain up to the root CA. Alias for /verifychain.

Usage Examples

Rubeus.exe asktgt /user:jdoe /password:Passw0rd! /domain:corp.local /ptt
When /opsec is set, Rubeus enforces AES256 encryption and refuses to send an RC4-based AS-REQ unless /force is also supplied. This avoids the RC4 downgrade indicator that many EDR and SIEM products flag as a Kerberoasting or pass-the-hash precursor. Always pair /opsec with /aes256:HASH or /enctype:AES256.

Build docs developers (and LLMs) love