TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
tgssub command rewrites the sname field inside an existing Kerberos service ticket (TGS) without re-requesting a ticket from the KDC. Because the PAC and the encrypted portion of the ticket are not modified, the resulting ticket remains cryptographically valid as long as the target server uses the same service account key. This lets you reuse a ticket obtained for one SPN — for example http/server.corp.local — to authenticate to a different service on the same host, such as cifs/server.corp.local, provided the underlying service account is the same. The technique is sometimes referred to as an “alternate service” attack.
Flags
A base64-encoded
.kirbi blob or path to a .kirbi file containing the service ticket to modify.The replacement
sname value to write into the ticket. Accepts a bare service class (e.g. ldap) or a full SPN (e.g. cifs/computer.domain.com).Override the service realm (
srealm) in the ticket. Useful when the target service resides in a different domain from the original ticket.Inject the modified ticket into the current logon session (pass-the-ticket) instead of printing it as base64.
Target a specific logon session by LUID when injecting with
/ptt. Requires elevated privileges.Print the base64 ticket output on a single line without line-wrapping. Useful for scripting or piping output to another tool.
tgssub only rewrites the cleartext sname field in the KRB_CRED wrapper. It does not modify the encrypted EncTicketPart. Whether the target service accepts the modified ticket depends on how strictly it validates the sname against the encrypted portion.Examples
Substitute with a simple service class
Replace the service class withldap, keeping the existing host component intact. Useful when you have a host ticket and want to try it against the LDAP service on the same server.