Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

Kerberoasting enumerates Active Directory accounts that have a Service Principal Name (SPN) set and requests Kerberos TGS tickets for each one. The ticket’s encrypted portion is protected with the service account’s password hash, so it can be extracted and cracked offline — no special privileges are required beyond standard domain authentication. Rubeus automates the full pipeline: LDAP enumeration, ticket requests, and formatted hash output ready for Hashcat or John the Ripper.

Flag Reference

/spn
string
Target a single specific SPN directly, e.g. /spn:"MSSQLSvc/db.corp.local:1433". Skips LDAP enumeration and requests a ticket for exactly this SPN. Required when using /nopreauth.
/spns
string
Path to a newline-delimited file of SPNs to roast, e.g. /spns:C:\temp\spns.txt. Can also be a comma-separated list of SPNs passed inline.
/user
string
Restrict Kerberoasting to a specific user account (or comma-separated list of users), e.g. /user:svcSQL. Only SPNs belonging to that account are targeted.
/domain
string
Target domain to query, e.g. /domain:corp.local. Defaults to the current machine’s domain when omitted.
/dc
string
Domain controller to send requests to, e.g. /dc:DC01.corp.local. Useful when targeting a specific site DC or when the default DC is unreachable.
/ou
string
Restrict LDAP enumeration to a specific Organizational Unit, e.g. /ou:"OU=Service Accounts,DC=corp,DC=local". Narrows the target scope to accounts within that OU.
/ldaps
boolean
Use LDAPS (port 636) instead of plain LDAP (port 389) for user enumeration. Useful when standard LDAP is blocked or when encrypted channel is required.
/ldapfilter
string
Append a custom LDAP filter to the base enumeration query, e.g. /ldapfilter:'admincount=1'. The filter is ANDed with the default SPN enumeration filter, allowing precise targeting.
/creduser
string
Alternate domain credentials for LDAP enumeration and ticket requests, e.g. /creduser:corp.local\svcBackup. Must be in domain\user format. Requires /credpassword.
/credpassword
string
Password for the alternate credential user specified with /creduser, e.g. /credpassword:P@ssw0rd. Both flags must be supplied together.
/ticket
string
Use an existing TGT instead of the current logon session, supplied as a base64-encoded .kirbi blob or a path to a .kirbi file, e.g. /ticket:ticket.kirbi. The TGT is used to request service tickets without touching the current session.
/enterprise
boolean
Request tickets using enterprise principal format (user@domain.com UPN style). Requires /spn or /spns, and either /ticket or /usetgtdeleg.
/autoenterprise
boolean
Automatically retry with enterprise principal format if the standard SPN request fails. Does nothing when /spn or /spns is explicitly supplied. Requires /ticket or /usetgtdeleg.
/usetgtdeleg
boolean
Obtain a TGT via the Kerberos GSS-API delegation trick (tgtdeleg) and use it to request service tickets. No plaintext credentials or existing ticket file needed — works from any domain-joined session. /tgtdeleg is accepted as an alias for this flag.
/rc4opsec
boolean
Opsec-oriented Kerberoasting mode. Filters out accounts that have AES keys configured and only roasts accounts that still use RC4. This avoids requesting a downgraded RC4 ticket for an AES-enabled account, which produces a distinctive 4769 event with encryption type 0x17.
/aes
boolean
Request AES-encrypted service tickets instead of the default RC4. Only targets accounts that have AES keys configured. Produces AES128 or AES256 hashes depending on the account’s supported encryption types.
/nopreauth
string
Roast target SPNs by sending AS-REQs through a Kerberos account that does not require pre-authentication, e.g. /nopreauth:weakacct. Requires /spn or /spns. Useful when you have a pre-auth-disabled account but no valid TGT.
/stats
boolean
Enumerate Kerberoastable accounts and print statistics (count by encryption type, password age buckets) without actually requesting any service tickets. Useful for recon and scoping.
/outfile
string
Write all extracted hashes to a file instead of (or in addition to) the console, e.g. /outfile:hashes.txt. Each hash is written on its own line in the standard Hashcat/John format.
/simple
boolean
Output hashes in the Hashcat file format directly to the console (one hash per line, no Rubeus banner framing). Convenient for piping output into another tool.
/pwdsetafter
string
Filter to only roast accounts whose password was set after the specified date, e.g. /pwdsetafter:01-31-2020. Date format is MM-DD-YYYY. Combine with /pwdsetbefore to define a window.
/pwdsetbefore
string
Filter to only roast accounts whose password was set before the specified date, e.g. /pwdsetbefore:12-31-2022. Date format is MM-DD-YYYY.
/resultlimit
integer
Cap the number of accounts roasted, e.g. /resultlimit:5. Useful for testing or when you only need a sample of hashes.
/delay
integer
Milliseconds to wait between each ticket request, e.g. /delay:5000. Must be greater than 100 ms. Use with /jitter to randomize the inter-request timing and reduce detection risk.
/jitter
integer
Percentage jitter applied to the /delay value, e.g. /jitter:30 for ±30% randomisation. Valid range is 1–100. Has no effect unless /delay is also specified.
/nowrap
boolean
Prevent base64 ticket blobs from being line-wrapped at 80 characters in console output. Useful when copying output for use in other tools.

Usage Examples

Rubeus.exe kerberoast
Opsec considerations: By default, Rubeus requests RC4 (etype 0x17) tickets even for accounts that support AES, which generates Windows Security event 4769 with encryption type 0x17. Defenders commonly alert on this. Use /rc4opsec to skip AES-enabled accounts entirely, or use /aes to request AES tickets — both approaches reduce the footprint of a downgrade. When combined with /delay and /jitter, the request rate blends more naturally with legitimate TGS traffic. The /usetgtdeleg and /ticket options avoid writing new credentials to disk or calling LSASS.
Cracking with Hashcat:
  • RC4 hashes ($krb5tgs$23$...): hashcat -m 13100 hashes.txt wordlist.txt
  • AES-128 hashes ($krb5tgs$17$...): hashcat -m 19600 hashes.txt wordlist.txt
  • AES-256 hashes ($krb5tgs$18$...): hashcat -m 19700 hashes.txt wordlist.txt
Use /simple or /outfile to get clean hash output with no banner text that might confuse the parser.

Build docs developers (and LLMs) love