TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
asktgt command sends an AS-REQ to the domain controller and retrieves a Ticket Granting Ticket (TGT) for the specified user. You can authenticate with a plaintext password, an NTLM/AES hash, or a PKCS12 certificate (PKINIT). The resulting TGT can be written to a .kirbi file, passed directly into the current logon session with /ptt, or injected into a newly created sacrificial process spawned with /createnetonly.
Flag Reference
The username to request a TGT for. Accepts
USER or DOMAIN\USER format. If a domain is embedded in the value, it overrides any /domain argument.Plaintext password for the target user. When supplied, hash derivation is deferred until after any pre-auth exchange so that the KDC-supplied salt can be used.
Encryption type to request in the AS-REQ. Defaults to
RC4 when no /enctype flag and no hash flag is given. Also accepts NTLM as an alias for RC4, and AES as an alias for AES256.DES hash (
des_cbc_md5) to use for authentication. Sets /enctype to DES automatically.RC4/NTLM hash to use for authentication. Sets
/enctype to RC4 automatically.NTLM hash to use for authentication. Alias for
/rc4 — sets /enctype to RC4 automatically.AES-128 hash to use for authentication. Sets
/enctype to AES128 automatically.AES-256 hash to use for authentication. Sets
/enctype to AES256 automatically.Path to a PKCS12/PFX certificate file, or a certificate thumbprint (or subject string) to locate a certificate in the current user’s key store. Used for PKINIT-based TGT requests. Combine with
/password to supply the PFX store password.The fully-qualified domain name to authenticate against. If omitted, Rubeus resolves the current machine’s joined domain automatically.
Hostname or IP address of a specific domain controller to send the AS-REQ to. Useful when the default DC is unreachable or you need to target a specific site.
Path to write the retrieved TGT as a
.kirbi file. If omitted, the ticket is printed as a base64 blob to stdout.Pass the ticket directly into the current logon session using
LsaCallAuthenticationPackage. No file is written. Requires the process to be running as the user whose session will receive the ticket, or with elevated privileges for a specific /luid.Target a specific Logon Session (LUID) when injecting tickets with
/ptt or when working with /createnetonly. Requires high integrity. Example: /luid:0x4b3c2.Suppress line-wrapping of the base64 ticket blob in console output. Useful when piping output to another tool or when copying the ticket programmatically.
Request the TGT in a manner that avoids RC4 downgrade indicators by requiring AES256 encryption. Rubeus will refuse to proceed unless
/enctype:AES256 (or an /aes256 hash) is also supplied, unless /force is added to override.Override the AES256 enforcement that
/opsec applies. When both /opsec and /force are set, Rubeus will send the AS-REQ with a non-AES256 encryption type even though opsec mode is active.Include a
PA-PAC-REQUEST pre-authentication element set to FALSE, asking the KDC to omit the PAC from the issued TGT. Useful for testing PAC-less Kerberos flows.Supply a legacy
sAMAccountName value for password-based requests when the account’s current name differs from the name used to derive the key. Passed through to the TGTWithPassword call.Send an AS-REQ without pre-authentication data. The KDC will respond with a
KRB_ERROR or an unencrypted AS-REP for accounts that do not require pre-auth (AS-REP Roasting targets). No hash or password is required when this flag is set.Request a TGT with the
change-password service flag set (for the kadmin/changepw service). Used in Kerberos-based password reset flows (AoratoPw / changepw command).When using PKINIT (
/certificate), attempt to retrieve the NT hash and AES keys from the PKINIT AS-REP using the PA-PK-AS-REP shadow credential response. Only meaningful against DCs that support this extension.A service key hash (the krbtgt long-term key) used to decrypt and display the
EncTicketPart of the returned TGT inline. Useful for verifying ticket contents without a separate describe call.When combined with
/createnetonly, makes the spawned sacrificial process visible (window shown) rather than hidden. Has no effect without /createnetonly.Path to an executable to spawn as a new
LOGON32_LOGON_NETWORK_ONLY process. The TGT is injected into the new process’s logon session rather than the current one. Requires high integrity. Example: /createnetonly:C:\Windows\System32\cmd.exe.URL of a KDC proxy (MS-KKDCP) to relay the AS-REQ through instead of contacting the DC directly over port 88. Example:
/proxyurl:https://proxy.corp.local/kdcproxy.Supplemental encryption type to advertise in the AS-REQ
etype list, in addition to the primary encryption type selected by /enctype or a hash flag. Defaults to the same value as the primary encryption type when not specified.Name type for the client principal in the AS-REQ. Valid values are
principal (default), enterprise, x500, srv_xhost, srv_host, and srv_inst. Use enterprise for UPN-style names (user@domain.com).Request a service ticket directly via an AS-REQ (rather than a TGT) by specifying a target SPN. This produces an AS-REQ-based service ticket rather than going through the normal TGT → TGS flow.
When using PKINIT (
/certificate), verify the entire certificate chain up to the root CA in addition to the leaf certificate. Alias for /verifycerts.When using PKINIT (
/certificate), verify the entire certificate chain up to the root CA. Alias for /verifychain.Usage Examples
When
/opsec is set, Rubeus enforces AES256 encryption and refuses to send an RC4-based AS-REQ unless /force is also supplied. This avoids the RC4 downgrade indicator that many EDR and SIEM products flag as a Kerberoasting or pass-the-hash precursor. Always pair /opsec with /aes256:HASH or /enctype:AES256.