TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
brute command performs Kerberos-based password bruteforcing and password spraying by sending AS-REQ messages to the KDC and inspecting the pre-authentication error responses. When a password is wrong the KDC returns KDC_ERR_PREAUTH_FAILED; when a user does not exist it returns KDC_ERR_C_PRINCIPAL_UNKNOWN; and when a valid credential is found, the KDC issues a full AS-REP containing a TGT. This approach operates entirely over the standard Kerberos port (88/UDP or 88/TCP) and does not generate LDAP or SMB authentication events. If no /user or /users flag is provided, Rubeus enumerates all domain user accounts from Active Directory via LDAP before beginning the attack.
spray is a registered alias for brute — Rubeus.exe spray ... and Rubeus.exe brute ... are functionally identical. Use whichever name is more natural for your workflow.Flag Reference
A single plaintext password to test against every target user. Exactly one of
/password or /passwords is required.Path to a newline-delimited file of passwords to test. Each password in the file is tried against all target users in sequence. Exactly one of
/password or /passwords is required.A single username to target. When neither
/user nor /users is supplied, Rubeus performs an LDAP query against the domain to enumerate all samAccountType=805306368 user objects and uses the full list.Path to a newline-delimited file of usernames to target. When this flag is set, Rubeus enables verbose user reporting automatically (equivalent to
/verbose) so you can track per-user results.The fully-qualified domain name to authenticate against. Defaults to the domain of the machine running Rubeus if omitted.
Alternate credentials (in
DOMAIN\USER format) to use for the LDAP enumeration query when no /user or /users flag is provided. Must be paired with /credpassword. Useful when the executing process has no domain context or insufficient rights to enumerate user objects as the current identity. Example: /creduser:corp.local\ldapquery.Plaintext password for the account specified in
/creduser. Required whenever /creduser is present.Scope the LDAP user enumeration to a specific Organizational Unit distinguished name. Only users under this OU are included in the attack. Example:
/ou:OU=Employees,DC=corp,DC=local. Has no effect when /user or /users is supplied.Hostname or IP address of the domain controller to send AS-REQs to and to use as the LDAP endpoint for user enumeration. Defaults to the domain name (resolved via DNS) when omitted.
Path to a file where discovered valid credentials are appended in
username:password format, one per line. Does not affect TGT output — successful TGTs are saved as <username>.kirbi regardless of this flag.Do not save TGTs for successful authentications. Instead, print the ticket as a base64 blob to console. By default, Rubeus writes a
<username>.kirbi file for every valid credential found.Enable verbose output. Reports each valid user (
[+] Valid user), each invalid user ([-] Invalid user), and each blocked or disabled account ([-] Blocked/Disabled user) as they are evaluated. Automatically enabled when /users is supplied.Suppress line-wrapping of base64 ticket blobs in console output.
Usage Examples
Rubeus distinguishes between four KDC error codes during brute-forcing to classify results without actually authenticating:
KDC_ERR_C_PRINCIPAL_UNKNOWN (user does not exist), KDC_ERR_PREAUTH_FAILED (wrong password, valid user), KDC_ERR_CLIENT_REVOKED (account disabled or locked), and a successful AS-REP (correct password). Security monitoring tools such as Microsoft Defender for Identity and many SIEM rules specifically watch for a burst of KDC_ERR_PREAUTH_FAILED (Event ID 4771) events from a single source, which is the primary detection signal for this technique.