Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

tgtdeleg exploits an undocumented behaviour in Windows’ Kerberos GSS-API implementation to recover a fully usable TGT for the current user — complete with session key — without requiring any elevated privileges. The technique works by calling InitializeSecurityContext with a forged delegation request to a target SPN. The Windows Kerberos provider automatically constructs a KRB_CRED forwarded-TGT to embed in the AP-REQ authenticator; Rubeus intercepts this structure before it leaves the machine and saves it as a standard .kirbi blob. Because the ticket contains the real session key it can be passed to ptt, used with s4u, or fed to diamond /tgtdeleg for PAC modification.

Flags

/target
string
The Service Principal Name (SPN) to fake a delegation request to (e.g. cifs/dc01.corp.local). When omitted Rubeus automatically queries the domain for a suitable SPN to target. Specifying a real SPN for an existing service produces a cleaner request.

Examples

Obtain TGT for the current user (no arguments needed)

Rubeus selects a delegation target automatically:
Rubeus.exe tgtdeleg

Target a specific SPN for the delegation request

Explicitly naming a valid SPN that has unconstrained delegation enabled increases the chance of a clean ticket:
Rubeus.exe tgtdeleg /target:cifs/dc01.corp.local
tgtdeleg requires no elevation and works for any domain user running in a standard (medium-integrity) process. It does not contact the KDC directly — the delegation request is handled entirely by the Windows Kerberos provider on behalf of the calling process.
The returned ticket includes the TGT session key, which is normally hidden from userland. This is what makes the ticket “usable” — most tools that rely on AS-REP or dump output need the session key to request service tickets.
tgtdeleg output is consumed directly by Rubeus.exe kerberoast /usetgtdeleg to request service tickets as the current user without a password hash, and by Rubeus.exe diamond /tgtdeleg to perform Diamond TGT attacks. It is the non-privileged equivalent of dump /service:krbtgt.

Build docs developers (and LLMs) love