Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The brute command performs Kerberos-based password bruteforcing and password spraying by sending AS-REQ messages to the KDC and inspecting the pre-authentication error responses. When a password is wrong the KDC returns KDC_ERR_PREAUTH_FAILED; when a user does not exist it returns KDC_ERR_C_PRINCIPAL_UNKNOWN; and when a valid credential is found, the KDC issues a full AS-REP containing a TGT. This approach operates entirely over the standard Kerberos port (88/UDP or 88/TCP) and does not generate LDAP or SMB authentication events. If no /user or /users flag is provided, Rubeus enumerates all domain user accounts from Active Directory via LDAP before beginning the attack.
spray is a registered alias for bruteRubeus.exe spray ... and Rubeus.exe brute ... are functionally identical. Use whichever name is more natural for your workflow.

Flag Reference

/password
string
A single plaintext password to test against every target user. Exactly one of /password or /passwords is required.
/passwords
string
Path to a newline-delimited file of passwords to test. Each password in the file is tried against all target users in sequence. Exactly one of /password or /passwords is required.
/user
string
A single username to target. When neither /user nor /users is supplied, Rubeus performs an LDAP query against the domain to enumerate all samAccountType=805306368 user objects and uses the full list.
/users
string
Path to a newline-delimited file of usernames to target. When this flag is set, Rubeus enables verbose user reporting automatically (equivalent to /verbose) so you can track per-user results.
/domain
string
The fully-qualified domain name to authenticate against. Defaults to the domain of the machine running Rubeus if omitted.
/creduser
string
Alternate credentials (in DOMAIN\USER format) to use for the LDAP enumeration query when no /user or /users flag is provided. Must be paired with /credpassword. Useful when the executing process has no domain context or insufficient rights to enumerate user objects as the current identity. Example: /creduser:corp.local\ldapquery.
/credpassword
string
Plaintext password for the account specified in /creduser. Required whenever /creduser is present.
/ou
string
Scope the LDAP user enumeration to a specific Organizational Unit distinguished name. Only users under this OU are included in the attack. Example: /ou:OU=Employees,DC=corp,DC=local. Has no effect when /user or /users is supplied.
/dc
string
Hostname or IP address of the domain controller to send AS-REQs to and to use as the LDAP endpoint for user enumeration. Defaults to the domain name (resolved via DNS) when omitted.
/outfile
string
Path to a file where discovered valid credentials are appended in username:password format, one per line. Does not affect TGT output — successful TGTs are saved as <username>.kirbi regardless of this flag.
/noticket
boolean
Do not save TGTs for successful authentications. Instead, print the ticket as a base64 blob to console. By default, Rubeus writes a <username>.kirbi file for every valid credential found.
/verbose
boolean
Enable verbose output. Reports each valid user ([+] Valid user), each invalid user ([-] Invalid user), and each blocked or disabled account ([-] Blocked/Disabled user) as they are evaluated. Automatically enabled when /users is supplied.
/nowrap
boolean
Suppress line-wrapping of base64 ticket blobs in console output.

Usage Examples

Rubeus.exe brute /password:Winter2024! /users:C:\temp\users.txt /domain:corp.local /dc:dc01.corp.local /outfile:valid_creds.txt
Kerberos password spraying increments the badPwdCount attribute on each targeted account in Active Directory with every failed attempt, exactly as NTLM and LDAP authentication failures do. If the domain’s account lockout policy (lockoutThreshold) is set to a low value (commonly 5–10 attempts), aggressive spraying will lock out accounts. Always verify the domain lockout policy before running this command, use a conservative attempt cadence, and prefer a single-password spray over a full password list to minimize lockout risk.
Rubeus distinguishes between four KDC error codes during brute-forcing to classify results without actually authenticating: KDC_ERR_C_PRINCIPAL_UNKNOWN (user does not exist), KDC_ERR_PREAUTH_FAILED (wrong password, valid user), KDC_ERR_CLIENT_REVOKED (account disabled or locked), and a successful AS-REP (correct password). Security monitoring tools such as Microsoft Defender for Identity and many SIEM rules specifically watch for a burst of KDC_ERR_PREAUTH_FAILED (Event ID 4771) events from a single source, which is the primary detection signal for this technique.

Build docs developers (and LLMs) love