TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
kirbi command modifies the session key embedded in an existing .kirbi (KRB_CRED) file. Some ticket-capture scenarios — such as certain delegation abuses or offline decryption workflows — produce a ticket whose session key is encrypted with a weaker or incorrect cipher. By replacing the session key and its associated encryption type, you can make the ticket usable in contexts that require a specific cipher or where the original session key is no longer valid. The modified ticket can be written to a file, printed as base64, or injected directly into a logon session.
Flags
A base64-encoded
.kirbi blob or path to a .kirbi file containing the ticket to modify.The new session key as a hex string (e.g.
aabbccddeeff...). When omitted, the ticket is re-encoded and output unchanged — the session key is not modified.The encryption type of the new session key. Accepted values:
DES, RC4 (or NTLM), AES128, AES256 (or AES). Defaults to AES256 when not specified.Inject the modified ticket into the current logon session immediately.
Target a specific logon session by LUID when injecting with
/ptt. Requires elevated privileges.Write the modified ticket to the specified file path instead of printing base64 to the console.
Print the base64 ticket output on a single line without line-wrapping.
Examples
Insert a new DES session key and save to file
Replace the embedded session key with a DES key and write the result to disk.Insert an RC4 session key and inject immediately
Substitute the session key and pass-the-ticket in one step.The session key length must match the chosen encryption type: 8 bytes for DES, 16 bytes for RC4 or AES128, and 32 bytes for AES256. Supplying a key of the wrong length will produce an unusable ticket.