Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
tgtdeleg exploits an undocumented behaviour in Windows’ Kerberos GSS-API implementation to recover a fully usable TGT for the current user — complete with session key — without requiring any elevated privileges. The technique works by calling InitializeSecurityContext with a forged delegation request to a target SPN. The Windows Kerberos provider automatically constructs a KRB_CRED forwarded-TGT to embed in the AP-REQ authenticator; Rubeus intercepts this structure before it leaves the machine and saves it as a standard .kirbi blob. Because the ticket contains the real session key it can be passed to ptt, used with s4u, or fed to diamond /tgtdeleg for PAC modification.
Flags
The Service Principal Name (SPN) to fake a delegation request to (e.g.
cifs/dc01.corp.local). When omitted Rubeus automatically queries the domain for a suitable SPN to target. Specifying a real SPN for an existing service produces a cleaner request.Examples
Obtain TGT for the current user (no arguments needed)
Rubeus selects a delegation target automatically:Target a specific SPN for the delegation request
Explicitly naming a valid SPN that has unconstrained delegation enabled increases the chance of a clean ticket:tgtdeleg requires no elevation and works for any domain user running in a standard (medium-integrity) process. It does not contact the KDC directly — the delegation request is handled entirely by the Windows Kerberos provider on behalf of the calling process.The returned ticket includes the TGT session key, which is normally hidden from userland. This is what makes the ticket “usable” — most tools that rely on AS-REP or dump output need the session key to request service tickets.