Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

AS-REP roasting targets Active Directory accounts that have the DONT_REQ_PREAUTH flag set in their userAccountControl attribute. Because the KDC returns an AS-REP without verifying the caller’s identity first, anyone on the network can request one and receive a response whose encrypted portion is derived from the account’s password. Rubeus enumerates vulnerable accounts via LDAP and issues AS-REQs for each, outputting the resulting hashes in Hashcat or John the Ripper format for offline cracking — no elevated privileges required.

Flag Reference

/user
string
Target a specific user account instead of enumerating all vulnerable accounts, e.g. /user:jsmith or /user:corp.local\jsmith. When a domain prefix is included it overrides /domain. Supplying /user avoids the LDAP enumeration step entirely.
/domain
string
Domain to query for pre-auth-disabled accounts, e.g. /domain:corp.local. Defaults to the current machine’s DNS domain when omitted.
/dc
string
Domain controller to send AS-REQs and LDAP queries to, e.g. /dc:DC01.corp.local. Defaults to the domain’s default DC.
/ou
string
Restrict LDAP enumeration to a specific Organizational Unit, e.g. /ou:"OU=Users,DC=corp,DC=local". Only accounts within that OU are considered.
/ldaps
boolean
Use LDAPS (port 636) instead of plain LDAP (port 389) for account enumeration. Use when standard LDAP is firewalled or when an encrypted channel is required.
/creduser
string
Alternate domain account to authenticate LDAP enumeration with, e.g. /creduser:corp.local\svcBackup. Must be in domain\user format. Requires /credpassword.
/credpassword
string
Password for the alternate credential user specified with /creduser, e.g. /credpassword:P@ssw0rd. Both flags must be supplied together.
/ldapfilter
string
Append a custom LDAP filter to the base enumeration query, e.g. /ldapfilter:'admincount=1'. The filter is ANDed with the default pre-auth enumeration filter, allowing precise targeting of a subset of accounts.
/des
boolean
Request DES-encrypted AS-REP responses instead of the default RC4. DES support is rare in modern environments but may be needed against legacy domain configurations.
/aes
boolean
Request AES-encrypted AS-REP responses. Produces AES-based hashes rather than the default RC4 (etype 23). Useful when accounts only support AES or when you need AES hashes specifically.
/format
string
Output format for the extracted hashes. Accepted values are hashcat and john. Defaults to john when omitted. Use hashcat to produce $krb5asrep$23$... prefixed hashes directly consumable by Hashcat mode 18200.
/outfile
string
Write extracted hashes to a file instead of (or in addition to) console output, e.g. /outfile:asrep_hashes.txt. Each hash is written on its own line.
/nowrap
boolean
Prevent base64 blobs from being line-wrapped at 80 characters in the console output. Useful when copying output for downstream tools.

Usage Examples

Rubeus.exe asreproast /nowrap
Cracking with Hashcat: Use mode -m 18200 for Kerberos AS-REP etype 23 (RC4) hashes:
hashcat -m 18200 asrep_hashes.txt wordlist.txt
Always generate hashes with /format:hashcat when targeting Hashcat — the default john format uses a slightly different prefix that Hashcat will not recognise without conversion.
Rubeus enumerates pre-auth-disabled accounts via an LDAP query against the target domain, so valid domain credentials are required for the enumeration phase. If you already know which account is vulnerable, supply /user:TARGET directly — this issues the AS-REQ immediately without any LDAP query, and works even from an unauthenticated context (e.g. from outside the domain with /dc pointing at a reachable KDC).

Build docs developers (and LLMs) love