TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
asrep2kirbi command transforms a raw Kerberos AS-REP message — captured from the wire or obtained via offline tooling — into a .kirbi (KRB_CRED) file that Rubeus and Mimikatz can consume. This is useful when you have an AS-REP blob from a network capture or a custom AS-REQ implementation and need to convert it into the standard credential format before injecting it with ptt or passing it to other commands. You must supply the client long-term key that was used to encrypt the AS-REP so that Rubeus can decrypt the session key and populate the KRB_CRED structure correctly. The default assumed encryption type is AES256; use /enctype to override this.
Flags
A base64-encoded AS-REP message or path to a file containing the raw AS-REP bytes.
The base64-encoded client long-term key used to decrypt the AS-REP. Mutually exclusive with
/keyhex; one of the two is required.The client long-term key as a hex string (e.g.
aabbccddeeff...). Mutually exclusive with /key; one of the two is required.Encryption type of the key supplied. Accepted values:
DES, RC4 (or NTLM), AES128, AES256 (or AES). Defaults to AES256 when omitted.Inject the resulting ticket into the current logon session immediately after conversion.
Target a specific logon session by LUID when injecting with
/ptt. Requires elevated privileges.Write the resulting
.kirbi to the specified file path instead of printing it as base64 to the console.Print the base64 ticket output on a single line without line-wrapping.
Examples
Convert an AS-REP with a base64-encoded AES256 key
Supply the raw AS-REP and the matching AES256 key. The output.kirbi is printed as base64 and can be saved or passed directly to ptt.
Convert an AS-REP and inject immediately
Parse the AS-REP and pass-the-ticket in one step by appending/ptt.
The
/key value must be the actual Kerberos long-term key (derived from the account password), not the raw password itself. Use Rubeus.exe hash /password:X /user:USER /domain:DOMAIN to derive the correct key from a known password before passing it here.