Kerberoasting enumerates Active Directory accounts that have a Service Principal Name (SPN) set and requests Kerberos TGS tickets for each one. The ticket’s encrypted portion is protected with the service account’s password hash, so it can be extracted and cracked offline — no special privileges are required beyond standard domain authentication. Rubeus automates the full pipeline: LDAP enumeration, ticket requests, and formatted hash output ready for Hashcat or John the Ripper.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
Flag Reference
Target a single specific SPN directly, e.g.
/spn:"MSSQLSvc/db.corp.local:1433". Skips LDAP enumeration and requests a ticket for exactly this SPN. Required when using /nopreauth.Path to a newline-delimited file of SPNs to roast, e.g.
/spns:C:\temp\spns.txt. Can also be a comma-separated list of SPNs passed inline.Restrict Kerberoasting to a specific user account (or comma-separated list of users), e.g.
/user:svcSQL. Only SPNs belonging to that account are targeted.Target domain to query, e.g.
/domain:corp.local. Defaults to the current machine’s domain when omitted.Domain controller to send requests to, e.g.
/dc:DC01.corp.local. Useful when targeting a specific site DC or when the default DC is unreachable.Restrict LDAP enumeration to a specific Organizational Unit, e.g.
/ou:"OU=Service Accounts,DC=corp,DC=local". Narrows the target scope to accounts within that OU.Use LDAPS (port 636) instead of plain LDAP (port 389) for user enumeration. Useful when standard LDAP is blocked or when encrypted channel is required.
Append a custom LDAP filter to the base enumeration query, e.g.
/ldapfilter:'admincount=1'. The filter is ANDed with the default SPN enumeration filter, allowing precise targeting.Alternate domain credentials for LDAP enumeration and ticket requests, e.g.
/creduser:corp.local\svcBackup. Must be in domain\user format. Requires /credpassword.Password for the alternate credential user specified with
/creduser, e.g. /credpassword:P@ssw0rd. Both flags must be supplied together.Use an existing TGT instead of the current logon session, supplied as a base64-encoded
.kirbi blob or a path to a .kirbi file, e.g. /ticket:ticket.kirbi. The TGT is used to request service tickets without touching the current session.Request tickets using enterprise principal format (
user@domain.com UPN style). Requires /spn or /spns, and either /ticket or /usetgtdeleg.Automatically retry with enterprise principal format if the standard SPN request fails. Does nothing when
/spn or /spns is explicitly supplied. Requires /ticket or /usetgtdeleg.Obtain a TGT via the Kerberos GSS-API delegation trick (
tgtdeleg) and use it to request service tickets. No plaintext credentials or existing ticket file needed — works from any domain-joined session. /tgtdeleg is accepted as an alias for this flag.Opsec-oriented Kerberoasting mode. Filters out accounts that have AES keys configured and only roasts accounts that still use RC4. This avoids requesting a downgraded RC4 ticket for an AES-enabled account, which produces a distinctive 4769 event with encryption type 0x17.
Request AES-encrypted service tickets instead of the default RC4. Only targets accounts that have AES keys configured. Produces AES128 or AES256 hashes depending on the account’s supported encryption types.
Roast target SPNs by sending AS-REQs through a Kerberos account that does not require pre-authentication, e.g.
/nopreauth:weakacct. Requires /spn or /spns. Useful when you have a pre-auth-disabled account but no valid TGT.Enumerate Kerberoastable accounts and print statistics (count by encryption type, password age buckets) without actually requesting any service tickets. Useful for recon and scoping.
Write all extracted hashes to a file instead of (or in addition to) the console, e.g.
/outfile:hashes.txt. Each hash is written on its own line in the standard Hashcat/John format.Output hashes in the Hashcat file format directly to the console (one hash per line, no Rubeus banner framing). Convenient for piping output into another tool.
Filter to only roast accounts whose password was set after the specified date, e.g.
/pwdsetafter:01-31-2020. Date format is MM-DD-YYYY. Combine with /pwdsetbefore to define a window.Filter to only roast accounts whose password was set before the specified date, e.g.
/pwdsetbefore:12-31-2022. Date format is MM-DD-YYYY.Cap the number of accounts roasted, e.g.
/resultlimit:5. Useful for testing or when you only need a sample of hashes.Milliseconds to wait between each ticket request, e.g.
/delay:5000. Must be greater than 100 ms. Use with /jitter to randomize the inter-request timing and reduce detection risk.Percentage jitter applied to the
/delay value, e.g. /jitter:30 for ±30% randomisation. Valid range is 1–100. Has no effect unless /delay is also specified.Prevent base64 ticket blobs from being line-wrapped at 80 characters in console output. Useful when copying output for use in other tools.
Usage Examples
Opsec considerations: By default, Rubeus requests RC4 (etype 0x17) tickets even for accounts that support AES, which generates Windows Security event 4769 with encryption type
0x17. Defenders commonly alert on this. Use /rc4opsec to skip AES-enabled accounts entirely, or use /aes to request AES tickets — both approaches reduce the footprint of a downgrade. When combined with /delay and /jitter, the request rate blends more naturally with legitimate TGS traffic. The /usetgtdeleg and /ticket options avoid writing new credentials to disk or calling LSASS.