TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
preauthscan command identifies Active Directory accounts that have the “Do not require Kerberos preauthentication” flag set (DONT_REQUIRE_PREAUTH). Rather than querying LDAP — which requires domain credentials — it probes the KDC directly by sending an AS-REQ without pre-authentication data for each username in the supplied list. If the KDC returns an AS-REP (rather than a KDC_ERR_PREAUTH_REQUIRED error), the account does not require pre-authentication and is eligible for an AS-REP roasting attack. This makes preauthscan effective from an unauthenticated or low-privilege position.
Flags
Path to a newline-delimited text file of usernames to probe, or a comma-separated list of usernames supplied directly on the command line.
The DNS domain name to probe (e.g.
corp.local). Defaults to the domain of the machine running Rubeus when omitted.Hostname or IP address of the domain controller to send AS-REQs to. Defaults to automatic DC discovery when not specified.
URL of a KDC proxy (MS-KKDCP endpoint) to route AS-REQs through, e.g.
https://kdcproxy.corp.local/KdcProxy. Useful when port 88 is not directly reachable.preauthscan does not require domain credentials or LDAP access. All communication goes directly to the KDC over port 88 (or via the KDC proxy). However, each probe generates a Kerberos AS-REQ event (Event ID 4768) on the domain controller, which may be logged.