Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The asrep2kirbi command transforms a raw Kerberos AS-REP message — captured from the wire or obtained via offline tooling — into a .kirbi (KRB_CRED) file that Rubeus and Mimikatz can consume. This is useful when you have an AS-REP blob from a network capture or a custom AS-REQ implementation and need to convert it into the standard credential format before injecting it with ptt or passing it to other commands. You must supply the client long-term key that was used to encrypt the AS-REP so that Rubeus can decrypt the session key and populate the KRB_CRED structure correctly. The default assumed encryption type is AES256; use /enctype to override this.

Flags

/asrep
string
required
A base64-encoded AS-REP message or path to a file containing the raw AS-REP bytes.
/key
string
The base64-encoded client long-term key used to decrypt the AS-REP. Mutually exclusive with /keyhex; one of the two is required.
/keyhex
string
The client long-term key as a hex string (e.g. aabbccddeeff...). Mutually exclusive with /key; one of the two is required.
/enctype
string
Encryption type of the key supplied. Accepted values: DES, RC4 (or NTLM), AES128, AES256 (or AES). Defaults to AES256 when omitted.
/ptt
flag
Inject the resulting ticket into the current logon session immediately after conversion.
/luid
string
Target a specific logon session by LUID when injecting with /ptt. Requires elevated privileges.
/outfile
string
Write the resulting .kirbi to the specified file path instead of printing it as base64 to the console.
/nowrap
flag
Print the base64 ticket output on a single line without line-wrapping.

Examples

Convert an AS-REP with a base64-encoded AES256 key

Supply the raw AS-REP and the matching AES256 key. The output .kirbi is printed as base64 and can be saved or passed directly to ptt.
Rubeus.exe asrep2kirbi /asrep:C:\captures\asrep.bin /key:dGhpcyBpcyBhIHNhbXBsZSBrZXkgZm9yIGRlbW8= /enctype:AES256

Convert an AS-REP and inject immediately

Parse the AS-REP and pass-the-ticket in one step by appending /ptt.
Rubeus.exe asrep2kirbi /asrep:C:\captures\asrep.bin /keyhex:aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 /enctype:AES256 /ptt
The /key value must be the actual Kerberos long-term key (derived from the account password), not the raw password itself. Use Rubeus.exe hash /password:X /user:USER /domain:DOMAIN to derive the correct key from a known password before passing it here.

Build docs developers (and LLMs) love