Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The hash command derives all four Kerberos key types from a plaintext password in a single operation. Supply /user and /domain to produce correct AES keys, since the AES key derivation standard (RFC 3962) salts the PBKDF2 function with the string DOMAIN.COMusername — omitting them yields unsalted AES keys that will not match what Active Directory stores.

Flags

/password
string
required
The plaintext password to hash. This is the only required flag.
/user
string
The account username. Combined with /domain to form the AES salt (username@DOMAIN.COM). You can also supply the value as DOMAIN\username to set both flags at once.
/domain
string
The DNS domain name (e.g. CORP.LOCAL). Used alongside /user to build the correct AES salt. Ignored when /user is not provided.
AES salts in Kerberos are case-sensitive. Always pass the domain in its canonical uppercase DNS form (e.g. CORP.LOCAL) and the username in the exact case stored in Active Directory to produce keys that match the KDC.

Examples

Hash a password without a salt

When no user or domain is supplied, Rubeus still computes all four key types. The AES keys will be unsalted and will not match what a domain controller stores for a real account, but the output is useful for standalone password testing.
Rubeus.exe hash /password:Summer2024!
Expected output:
[*] Action: Calculate Password Hash(es)

[*] Input password             : Summer2024!
[*] rc4_hmac                   : A3B4C5D6E7F8A1B2C3D4E5F6A7B8C9D0
[*] aes128_cts_hmac_sha1       : 1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D
[*] aes256_cts_hmac_sha1       : 1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9E0F1A2B
[*] des_cbc_md5                : A1B2C3D4E5F6A7B8

Hash with user and domain for correct AES keys

Pass /user and /domain to compute AES keys that match the domain controller’s stored values. These are the keys to use with /aes128 or /aes256 in commands such as asktgt.
Rubeus.exe hash /password:Summer2024! /user:jdoe /domain:CORP.LOCAL
Expected output:
[*] Action: Calculate Password Hash(es)

[*] Input password             : Summer2024!
[*] Input username             : jdoe
[*] Input domain               : CORP.LOCAL
[*] Salt                       : CORP.LOCALjdoe
[*] rc4_hmac                   : A3B4C5D6E7F8A1B2C3D4E5F6A7B8C9D0
[*] aes128_cts_hmac_sha1       : 1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D
[*] aes256_cts_hmac_sha1       : 1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9E0F1A2B
[*] des_cbc_md5                : A1B2C3D4E5F6A7B8
Use the rc4_hmac output directly as an NTLM hash for pass-the-hash attacks, or supply the aes256_cts_hmac_sha1 value to asktgt /aes256:HASH for an opsec-friendly TGT request that avoids RC4 downgrade indicators.

Build docs developers (and LLMs) love