Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
describe parses a KRB_CRED structure — either from a base64-encoded blob or a .kirbi file — and prints a rich summary of its internal fields: the client and server principal names, realm, ticket flags, key usage, encryption types, and validity windows. When decryption keys are supplied Rubeus can go further and decode the encrypted part of the ticket to expose the full PAC, authorisation data, and session key material. The command is read-only and makes no changes to any logon session.
Flags
The ticket to inspect. Accepts a base64-encoded
.kirbi blob or a path to a .kirbi file on disk. This flag is mandatory.The RC4 (NTLM) or AES key of the target service account, supplied as a hex string. When provided Rubeus decrypts the service ticket’s
enc-part and displays the full PAC and session key.The KRBTGT key as a hex string. Used to verify and decrypt the KDC-signed portions of the PAC (KDCChecksum, TicketChecksum), confirming that the PAC has not been tampered with.
The AS-REP encryption key as a hex string. Supplies the key needed to decrypt an AS-REP-derived ticket.
The username of the service account. When combined with
/servicedomain, Rubeus generates a crackable Hashcat-format hash from an AES-encrypted service ticket — useful when you cannot decrypt but want to crack the key offline.The domain of the service account. Used together with
/serviceuser to construct the crackable hash for AES service tickets.The known plaintext of the first DES block, used for DES-CBC-MD5 ticket decryption when the session key encryption type is DES.
Examples
Parse a ticket without decryption
Display all available metadata from the KRB_CRED structure. No keys required.Decrypt and display the full PAC with a service key
Supply the target service account’s NTLM hash (or AES key) to decrypt the ticket body:Verify PAC integrity with the KRBTGT key
Confirm that the PAC checksums are valid using the KRBTGT AES256 key:Generate a crackable hash from an AES service ticket
When you have an AES-encrypted TGS but not the service key, instruct Rubeus to output a Hashcat-compatible hash:describe never modifies a logon session or contacts a domain controller. All parsing happens locally from the supplied ticket bytes, making it safe to run in any context.