Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The Kerberos Service-for-User (S4U) extensions allow a service account to request tickets on behalf of another user. S4U2Self lets a service obtain a service ticket to itself for any user, and S4U2Proxy lets a service use that ticket as evidence to request a ticket for a backend service — the foundation of constrained delegation. Rubeus abuses this chain to impersonate arbitrary users (including domain administrators) against any service that the compromised account is trusted to delegate to. The s4u command accepts either an existing TGT (from disk or base64) or a raw password hash, performs the full S4U2Self → S4U2Proxy chain, and optionally injects the resulting ticket directly into the current logon session.

Primary Usage Modes

The command requires either:
  • Ticket mode: /ticket:BASE64|FILE — use an existing TGT for the service account.
  • Hash mode: /user:USER with /rc4:HASH or /aes256:HASH — Rubeus first obtains a TGT via asktgt, then proceeds with the S4U chain.
Both modes then require /impersonateuser (or a pre-existing /tgs) and /msdsspn to define the target.

Flag Reference

/ticket
string
Existing TGT for the service account to use, supplied as a base64-encoded .kirbi blob or a path to a .kirbi file, e.g. /ticket:svc.kirbi. Mutually exclusive with the /user+hash approach.
/user
string
Username of the service account when a TGT is not already available, e.g. /user:svcSQL. Rubeus will first request a TGT using the supplied hash, then proceed with S4U. Can include a domain prefix (domain\user).
/rc4
string
RC4 (NT) hash for the service account, used with /user to obtain a TGT, e.g. /rc4:NTLMHASH. Either /rc4 or /aes256 must be provided in hash mode.
/aes256
string
AES-256 hash for the service account, used with /user to obtain a TGT, e.g. /aes256:AESHASH. Preferred over /rc4 for opsec-safe TGT requests.
/impersonateuser
string
The domain user to impersonate in the S4U2Self request, e.g. /impersonateuser:Administrator. Cannot be used together with /tgs — supply one or the other.
/tgs
string
An existing S4U2Self TGS to use directly for the S4U2Proxy step, supplied as a base64 blob or file path, e.g. /tgs:self.kirbi. Skips the S4U2Self request. The impersonated user is read from the ticket’s cname. Requires /msdsspn.
/msdsspn
string
The target SPN to request a delegated ticket for, e.g. /msdsspn:cifs/fileserver.corp.local. This must match an SPN listed in the service account’s msDS-AllowedToDelegateTo attribute (or the resource’s msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD). Required unless using /self.
/altservice
string
Substitute a different service class into the final S4U2Proxy ticket without changing the server host, e.g. /altservice:ldap. Useful for accessing services beyond what is listed in the delegation configuration (requires the KDC to not validate the sname strictly).
/domain
string
Domain of the service account, e.g. /domain:corp.local. Auto-detected from the current environment when omitted.
/dc
string
Domain controller to send Kerberos requests to, e.g. /dc:DC01.corp.local.
/impersonatedomain
string
Domain of the user being impersonated in the S4U2Self request, e.g. /impersonatedomain:other.local. Use when the impersonated user resides in a different domain from the service account.
/targetdomain
string
Target domain for cross-domain S4U delegation, e.g. /targetdomain:target.corp.local. Used together with /targetdc to route the final S4U2Proxy request to the correct foreign domain.
/targetdc
string
Domain controller in the target domain for cross-domain delegation, e.g. /targetdc:DC01.target.corp.local. Must be reachable from the attacking host.
/outfile
string
Write the resulting ticket(s) to a .kirbi file, e.g. /outfile:admin_cifs.kirbi.
/ptt
boolean
Pass the final ticket directly into the current logon session via LsaCallAuthenticationPackage. After this, the ticket is usable immediately (e.g. dir \\fileserver\share).
/nowrap
boolean
Prevent base64 ticket blobs from being line-wrapped at 80 characters in console output.
/opsec
boolean
Request S4U tickets in an opsec-safe manner. Adjusts request flags so the resulting tickets more closely resemble those produced by legitimate Windows delegation, reducing the fidelity of event log signatures.
/self
boolean
Perform only the S4U2Self step and stop — do not proceed to S4U2Proxy. Produces a service ticket from the compromised service to itself for the impersonated user. Useful for obtaining a forwardable ticket to inject when RBCD is configured.
/bronzebit
boolean
Execute the Bronze Bit attack (CVE-2020-17049). Flips the forwardable flag in the S4U2Self ticket by re-encrypting it with the service account’s key, enabling S4U2Proxy even when the service is not configured for unconstrained delegation. Requires /rc4 or /aes256 to re-encrypt.
/nopac
boolean
Request tickets without a PAC (Privilege Attribute Certificate). Can be used to bypass certain PAC-based defences or to request tickets for accounts where PAC generation is problematic.
/proxyurl
string
Route Kerberos traffic through a KDC proxy URL, e.g. /proxyurl:https://kdcproxy.corp.local/kdcproxy. Useful for attacking environments where direct KDC access (TCP/UDP 88) is firewalled.
/createnetonly
string
Create a hidden PROCESS_CREATE_ONLY process at the specified path and inject the ticket into its logon session, e.g. /createnetonly:C:\Windows\System32\cmd.exe. Implicitly enables /ptt for the new process. Use /show to make the spawned window visible.
/show
boolean
When used with /createnetonly, makes the spawned process window visible rather than hidden.

Usage Examples

Rubeus.exe s4u /ticket:svc.kirbi /impersonateuser:Administrator /msdsspn:cifs/fileserver.corp.local /ptt /nowrap
Constrained delegation vs RBCD: Classic constrained delegation is configured on the delegating service account — an administrator adds target SPNs to the account’s msDS-AllowedToDelegateTo attribute, and the KDC enforces the list. Resource-based constrained delegation (RBCD) is configured on the target resource instead — the resource’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute lists which principals may delegate to it. From an attacker’s perspective, RBCD is particularly useful because write access to a computer object is enough to configure it, making it a common post-exploitation path after obtaining GenericWrite or WriteProperty over a machine account.
Bronze Bit (CVE-2020-17049) requires the /rc4 or /aes256 key for the service account so Rubeus can re-encrypt the S4U2Self ticket with the forwardable flag flipped on. The attack is only applicable when the account does not already have a forwardable S4U2Self ticket — for example when TrustedToAuthForDelegation is not set. Ensure the correct hash for the service account is supplied; an incorrect key produces an unusable ticket without a clear error from the KDC.

Build docs developers (and LLMs) love