Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

Pass-the-ticket (PtT) is the technique of injecting a Kerberos ticket directly into a Windows logon session so that subsequent Kerberos-authenticated requests use it automatically. Rubeus ptt calls the LsaCallAuthenticationPackage API to import a KRB_CRED structure — either decoded from a base64 blob or read from a .kirbi file on disk — into the target logon session cache. By default the ticket lands in your own session; supplying /luid redirects it into any other session on the machine, which requires SYSTEM or equivalent privileges.

Flags

/ticket
string
required
The Kerberos ticket to inject. Accepts either a base64-encoded .kirbi blob or a path to a .kirbi file on disk. This flag is mandatory — the command exits immediately without it.
/luid
string
The Logon Session ID (LUID) of the target logon session, expressed as a hex value (e.g. 0x1234ab). When omitted Rubeus injects into the current session. Targeting any other LUID requires an elevated (high-integrity) process.

Examples

Inject from a base64-encoded ticket blob

The most common workflow after a dump or tgtdeleg run: copy the printed base64 string and inject it directly.
Rubeus.exe ptt /ticket:doIFuj[...]

Inject from a .kirbi file on disk

If you already have a .kirbi file (e.g. saved by Mimikatz’s kerberos::list /export or Rubeus /outfile):
Rubeus.exe ptt /ticket:C:\Temp\jdoe_krbtgt.kirbi

Inject into a specific logon session (elevated)

First find the LUID you want to target with Rubeus.exe triage, then pass it here:
Rubeus.exe ptt /ticket:doIFuj[...] /luid:0x4f2b1a
Targeting a /luid other than your own requires a high-integrity (elevated / SYSTEM) process. Attempting this without elevation will fail with an access-denied error from the LSA.
Rubeus accepts either a raw base64 string or a file path for /ticket. If the value is a valid base64 string it is decoded in memory; if not, Rubeus checks whether it is a path to an existing file. Any other input produces an error.
After injecting a ticket you can verify it landed correctly with Rubeus.exe klist or Rubeus.exe triage. Use Rubeus.exe purge to remove it when finished.

Build docs developers (and LLMs) love