Rubeus is a C# toolset for raw Kerberos interaction and abuses in Windows Active Directory environments. It operates directly at the protocol level, building and parsing raw AS-REQ, TGS-REQ, and related Kerberos message structures without relying on high-level Windows APIs where possible. This gives operators fine-grained control over Kerberos authentication flows — from requesting and renewing tickets to forging golden and silver tickets, performing Kerberoasting, and abusing delegation configurations.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
Some Rubeus operations (such as dumping tickets for all users, applying tickets to arbitrary logon sessions, or monitoring new TGTs) require elevated privileges on the target host. Operations against the current user’s own logon session — like requesting a TGT with
asktgt — do not require elevation.Background
Rubeus is heavily adapted from Benjamin Delpy’s Kekeo project (CC BY-NC-SA 4.0) and Vincent LE TOUX’s MakeMeEnterpriseAdmin project (GPL v3.0). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization — without their prior work this project would not exist. Charlie Clark and Ceri Coburn have both made significant contributions as co-developers to the Rubeus codebase. Elad Shamir contributed essential work for resource-based constrained delegation. @harmj0y is the primary author. Additional credits:- Thomas Pornin — C# ASN.1 parsing/encoding library DDer (MIT-like license)
- Steve Syfuhs — PKINIT code adapted from Bruce / Kerberos.NET
- James Forshaw (@tiraniddo) — NDR encoding/decoding for Kerberos PAC via NtApiDotNet
- @machosec —
KerberosRequestorSecurityToken.GetRequestmethod for Kerberoasting
Project Details
| Property | Value |
|---|---|
| Current Version | v2.3.3 |
| Project Type | Windows CLI executable (Rubeus.exe) |
| Target Framework | .NET 3.5 or .NET 4.0 |
| License | BSD 3-Clause |
| Library Mode | Rubeus.Program.MainString(string command) |
MainString(string command) static method on Rubeus.Program. This makes it straightforward to invoke Rubeus from PowerShell or over PSRemoting without writing the binary to disk.
Get Started
Quickstart
Download or build Rubeus and run your first TGT request and ticket dump in minutes.
Building from Source
Compile Rubeus as an executable or as a .NET library for PowerShell integration.
asktgt Command
Request a Ticket Granting Ticket using a password, hash, or certificate.
Opsec Notes
Understand detection risks and how to operate Rubeus more stealthily.
Command Categories
Rubeus organises its functionality into the following feature areas:Ticket Requests & Renewals
asktgt, asktgs, renew, brute, preauthscan — Request TGTs and service tickets from a KDC, renew existing tickets, or brute-force credentials via AS-REQ.
Constrained Delegation Abuse
s4u — Perform S4U2self and S4U2proxy operations to impersonate users against services configured for constrained delegation, including cross-domain scenarios.
Ticket Forgery
golden, silver, diamond — Forge TGTs and service tickets from KRBTGT or service account keys. Supports LDAP-assisted PAC population and explicit value overrides.
Ticket Management
ptt, purge, describe — Submit tickets into the current logon session, remove them, or parse and display the contents of any
.kirbi ticket blob.Ticket Extraction & Harvesting
triage, klist, dump, tgtdeleg, monitor, harvest — Enumerate and extract Kerberos tickets from the current host, or continuously monitor for new TGTs.
Roasting
kerberoast, asreproast — Request and crack service tickets for accounts with SPNs (Kerberoasting), or retrieve AS-REP blobs for accounts without pre-authentication (AS-REP roasting).
Miscellaneous
createnetonly, changepw, hash, tgssub, currentluid, logonsession, asrep2kirbi, kirbi — Utility commands for credential operations, hash calculation, ticket modification, and session inspection.