Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The preauthscan command identifies Active Directory accounts that have the “Do not require Kerberos preauthentication” flag set (DONT_REQUIRE_PREAUTH). Rather than querying LDAP — which requires domain credentials — it probes the KDC directly by sending an AS-REQ without pre-authentication data for each username in the supplied list. If the KDC returns an AS-REP (rather than a KDC_ERR_PREAUTH_REQUIRED error), the account does not require pre-authentication and is eligible for an AS-REP roasting attack. This makes preauthscan effective from an unauthenticated or low-privilege position.

Flags

/users
string
required
Path to a newline-delimited text file of usernames to probe, or a comma-separated list of usernames supplied directly on the command line.
/domain
string
The DNS domain name to probe (e.g. corp.local). Defaults to the domain of the machine running Rubeus when omitted.
/dc
string
Hostname or IP address of the domain controller to send AS-REQs to. Defaults to automatic DC discovery when not specified.
/proxyurl
string
URL of a KDC proxy (MS-KKDCP endpoint) to route AS-REQs through, e.g. https://kdcproxy.corp.local/KdcProxy. Useful when port 88 is not directly reachable.
preauthscan does not require domain credentials or LDAP access. All communication goes directly to the KDC over port 88 (or via the KDC proxy). However, each probe generates a Kerberos AS-REQ event (Event ID 4768) on the domain controller, which may be logged.

Examples

Scan from a username file

Provide a text file with one username per line. Rubeus probes each account against the current machine’s domain.
Rubeus.exe preauthscan /users:C:\temp\users.txt

Scan targeting a specific domain controller

Route all probes to a particular DC, bypassing automatic discovery.
Rubeus.exe preauthscan /users:C:\temp\users.txt /domain:corp.local /dc:dc01.corp.local

Scan via a KDC proxy

Use an HTTPS KDC proxy when the Kerberos port (88) is firewalled but the proxy endpoint is reachable.
Rubeus.exe preauthscan /users:C:\temp\users.txt /domain:corp.local /proxyurl:https://kdcproxy.corp.local/KdcProxy
Accounts identified by preauthscan can be targeted immediately with Rubeus.exe asreproast /user:USERNAME /domain:DOMAIN to capture an AS-REP hash for offline cracking.

Build docs developers (and LLMs) love