Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

describe parses a KRB_CRED structure — either from a base64-encoded blob or a .kirbi file — and prints a rich summary of its internal fields: the client and server principal names, realm, ticket flags, key usage, encryption types, and validity windows. When decryption keys are supplied Rubeus can go further and decode the encrypted part of the ticket to expose the full PAC, authorisation data, and session key material. The command is read-only and makes no changes to any logon session.

Flags

/ticket
string
required
The ticket to inspect. Accepts a base64-encoded .kirbi blob or a path to a .kirbi file on disk. This flag is mandatory.
/servicekey
string
The RC4 (NTLM) or AES key of the target service account, supplied as a hex string. When provided Rubeus decrypts the service ticket’s enc-part and displays the full PAC and session key.
/krbkey
string
The KRBTGT key as a hex string. Used to verify and decrypt the KDC-signed portions of the PAC (KDCChecksum, TicketChecksum), confirming that the PAC has not been tampered with.
/asrepkey
string
The AS-REP encryption key as a hex string. Supplies the key needed to decrypt an AS-REP-derived ticket.
/serviceuser
string
The username of the service account. When combined with /servicedomain, Rubeus generates a crackable Hashcat-format hash from an AES-encrypted service ticket — useful when you cannot decrypt but want to crack the key offline.
/servicedomain
string
The domain of the service account. Used together with /serviceuser to construct the crackable hash for AES service tickets.
/desplaintext
string
The known plaintext of the first DES block, used for DES-CBC-MD5 ticket decryption when the session key encryption type is DES.

Examples

Parse a ticket without decryption

Display all available metadata from the KRB_CRED structure. No keys required.
Rubeus.exe describe /ticket:doIFuj[...]

Decrypt and display the full PAC with a service key

Supply the target service account’s NTLM hash (or AES key) to decrypt the ticket body:
Rubeus.exe describe /ticket:doIFuj[...] /servicekey:aad3b435b51404eeaad3b435b51404ee

Verify PAC integrity with the KRBTGT key

Confirm that the PAC checksums are valid using the KRBTGT AES256 key:
Rubeus.exe describe /ticket:doIFuj[...] /krbkey:9b3fd5a2b...c4e1a8d0f

Generate a crackable hash from an AES service ticket

When you have an AES-encrypted TGS but not the service key, instruct Rubeus to output a Hashcat-compatible hash:
Rubeus.exe describe /ticket:doIFuj[...] /serviceuser:svc_mssql /servicedomain:CORP.LOCAL
The hash printed by /serviceuser+/servicedomain can be fed directly into Hashcat mode 19700 (Kerberos 5, etype 18, TGS-REP) for offline cracking.
describe never modifies a logon session or contacts a domain controller. All parsing happens locally from the supplied ticket bytes, making it safe to run in any context.

Build docs developers (and LLMs) love