Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

dump enumerates Kerberos tickets exactly as klist does, but instead of displaying parsed metadata it outputs the full KRB_CRED bytes for each ticket as a base64-encoded blob. Those blobs can be copied directly into Rubeus.exe ptt /ticket:..., saved to disk for later use, or decoded to .kirbi files for import into other tools. Without elevation Rubeus dumps only tickets belonging to the current logon session. In an elevated process it calls LsaEnumerateLogonSessions and extracts tickets from every session on the system, making it a powerful one-step credential harvesting step after gaining SYSTEM.

Flags

/luid
string
Restrict the dump to a single logon session identified by its LUID in hex (e.g. 0x3e4).
/user
string
Filter output to sessions owned by the specified username. Case-insensitive substring match.
/service
string
Filter output to tickets matching the specified service class (e.g. krbtgt to dump only TGTs). Case-insensitive prefix match against the SPN.
/server
string
Filter output to tickets targeting a specific server hostname (e.g. fileserver01.corp.local).

Examples

Dump all tickets from the current session

Print base64-encoded KRB_CRED structures for every ticket in the current logon session:
Rubeus.exe dump

Dump only TGTs

Filter by the krbtgt service to extract only Ticket-Granting Tickets:
Rubeus.exe dump /service:krbtgt

Dump tickets for a specific user (elevated)

Useful after obtaining SYSTEM to harvest credentials from a target account:
Rubeus.exe dump /user:jdoe /service:krbtgt

Dump tickets for a specific logon session

Restrict output to a single session by LUID:
Rubeus.exe dump /luid:0x4f2b1a
Use the global /consoleoutfile:C:\Temp\tickets.txt argument to redirect all output — including the base64 blobs — to a file in a single command: Rubeus.exe dump /consoleoutfile:C:\Temp\tickets.txt.
Extracting tickets from other users’ sessions requires a high-integrity (elevated) process. Running dump without elevation against a /luid that does not belong to the current session will fail with an access-denied error from the LSA.

Build docs developers (and LLMs) love