Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The kirbi command modifies the session key embedded in an existing .kirbi (KRB_CRED) file. Some ticket-capture scenarios — such as certain delegation abuses or offline decryption workflows — produce a ticket whose session key is encrypted with a weaker or incorrect cipher. By replacing the session key and its associated encryption type, you can make the ticket usable in contexts that require a specific cipher or where the original session key is no longer valid. The modified ticket can be written to a file, printed as base64, or injected directly into a logon session.

Flags

/kirbi
string
required
A base64-encoded .kirbi blob or path to a .kirbi file containing the ticket to modify.
/sessionkey
string
The new session key as a hex string (e.g. aabbccddeeff...). When omitted, the ticket is re-encoded and output unchanged — the session key is not modified.
/sessionetype
string
The encryption type of the new session key. Accepted values: DES, RC4 (or NTLM), AES128, AES256 (or AES). Defaults to AES256 when not specified.
/ptt
flag
Inject the modified ticket into the current logon session immediately.
/luid
string
Target a specific logon session by LUID when injecting with /ptt. Requires elevated privileges.
/outfile
string
Write the modified ticket to the specified file path instead of printing base64 to the console.
/nowrap
flag
Print the base64 ticket output on a single line without line-wrapping.

Examples

Insert a new DES session key and save to file

Replace the embedded session key with a DES key and write the result to disk.
Rubeus.exe kirbi /kirbi:C:\tickets\captured.kirbi /sessionkey:aabbccddeeff0011 /sessionetype:DES /outfile:C:\tickets\modified.kirbi

Insert an RC4 session key and inject immediately

Substitute the session key and pass-the-ticket in one step.
Rubeus.exe kirbi /kirbi:C:\tickets\captured.kirbi /sessionkey:aabbccddeeff00112233445566778899 /sessionetype:RC4 /ptt
The session key length must match the chosen encryption type: 8 bytes for DES, 16 bytes for RC4 or AES128, and 32 bytes for AES256. Supplying a key of the wrong length will produce an unusable ticket.

Build docs developers (and LLMs) love