Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The tgssub command rewrites the sname field inside an existing Kerberos service ticket (TGS) without re-requesting a ticket from the KDC. Because the PAC and the encrypted portion of the ticket are not modified, the resulting ticket remains cryptographically valid as long as the target server uses the same service account key. This lets you reuse a ticket obtained for one SPN — for example http/server.corp.local — to authenticate to a different service on the same host, such as cifs/server.corp.local, provided the underlying service account is the same. The technique is sometimes referred to as an “alternate service” attack.

Flags

/ticket
string
required
A base64-encoded .kirbi blob or path to a .kirbi file containing the service ticket to modify.
/altservice
string
required
The replacement sname value to write into the ticket. Accepts a bare service class (e.g. ldap) or a full SPN (e.g. cifs/computer.domain.com).
/srealm
string
Override the service realm (srealm) in the ticket. Useful when the target service resides in a different domain from the original ticket.
/ptt
flag
Inject the modified ticket into the current logon session (pass-the-ticket) instead of printing it as base64.
/luid
string
Target a specific logon session by LUID when injecting with /ptt. Requires elevated privileges.
/nowrap
flag
Print the base64 ticket output on a single line without line-wrapping. Useful for scripting or piping output to another tool.
tgssub only rewrites the cleartext sname field in the KRB_CRED wrapper. It does not modify the encrypted EncTicketPart. Whether the target service accepts the modified ticket depends on how strictly it validates the sname against the encrypted portion.

Examples

Substitute with a simple service class

Replace the service class with ldap, keeping the existing host component intact. Useful when you have a host ticket and want to try it against the LDAP service on the same server.
Rubeus.exe tgssub /ticket:C:\tickets\service.kirbi /altservice:ldap

Substitute with a full SPN

Supply a complete SPN to replace both the service class and the target host.
Rubeus.exe tgssub /ticket:C:\tickets\service.kirbi /altservice:cifs/computer.domain.com

Substitute and inject the result

Write the modified ticket directly into the current logon session so it can be used immediately.
Rubeus.exe tgssub /ticket:C:\tickets\service.kirbi /altservice:ldap /ptt

Build docs developers (and LLMs) love