Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

Rubeus is a C# toolset for raw Kerberos interaction and abuses in Windows Active Directory environments. It operates directly at the protocol level, building and parsing raw AS-REQ, TGS-REQ, and related Kerberos message structures without relying on high-level Windows APIs where possible. This gives operators fine-grained control over Kerberos authentication flows — from requesting and renewing tickets to forging golden and silver tickets, performing Kerberoasting, and abusing delegation configurations.
Some Rubeus operations (such as dumping tickets for all users, applying tickets to arbitrary logon sessions, or monitoring new TGTs) require elevated privileges on the target host. Operations against the current user’s own logon session — like requesting a TGT with asktgt — do not require elevation.

Background

Rubeus is heavily adapted from Benjamin Delpy’s Kekeo project (CC BY-NC-SA 4.0) and Vincent LE TOUX’s MakeMeEnterpriseAdmin project (GPL v3.0). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization — without their prior work this project would not exist. Charlie Clark and Ceri Coburn have both made significant contributions as co-developers to the Rubeus codebase. Elad Shamir contributed essential work for resource-based constrained delegation. @harmj0y is the primary author. Additional credits:
  • Thomas Pornin — C# ASN.1 parsing/encoding library DDer (MIT-like license)
  • Steve Syfuhs — PKINIT code adapted from Bruce / Kerberos.NET
  • James Forshaw (@tiraniddo) — NDR encoding/decoding for Kerberos PAC via NtApiDotNet
  • @machosecKerberosRequestorSecurityToken.GetRequest method for Kerberoasting

Project Details

PropertyValue
Current Versionv2.3.3
Project TypeWindows CLI executable (Rubeus.exe)
Target Framework.NET 3.5 or .NET 4.0
LicenseBSD 3-Clause
Library ModeRubeus.Program.MainString(string command)
Rubeus ships as a standalone Windows executable. It can also be compiled as a .NET class library, which exposes the MainString(string command) static method on Rubeus.Program. This makes it straightforward to invoke Rubeus from PowerShell or over PSRemoting without writing the binary to disk.

Get Started

Quickstart

Download or build Rubeus and run your first TGT request and ticket dump in minutes.

Building from Source

Compile Rubeus as an executable or as a .NET library for PowerShell integration.

asktgt Command

Request a Ticket Granting Ticket using a password, hash, or certificate.

Opsec Notes

Understand detection risks and how to operate Rubeus more stealthily.

Command Categories

Rubeus organises its functionality into the following feature areas:

Ticket Requests & Renewals

asktgt, asktgs, renew, brute, preauthscan — Request TGTs and service tickets from a KDC, renew existing tickets, or brute-force credentials via AS-REQ.

Constrained Delegation Abuse

s4u — Perform S4U2self and S4U2proxy operations to impersonate users against services configured for constrained delegation, including cross-domain scenarios.

Ticket Forgery

golden, silver, diamond — Forge TGTs and service tickets from KRBTGT or service account keys. Supports LDAP-assisted PAC population and explicit value overrides.

Ticket Management

ptt, purge, describe — Submit tickets into the current logon session, remove them, or parse and display the contents of any .kirbi ticket blob.

Ticket Extraction & Harvesting

triage, klist, dump, tgtdeleg, monitor, harvest — Enumerate and extract Kerberos tickets from the current host, or continuously monitor for new TGTs.

Roasting

kerberoast, asreproast — Request and crack service tickets for accounts with SPNs (Kerberoasting), or retrieve AS-REP blobs for accounts without pre-authentication (AS-REP roasting).

Miscellaneous

createnetonly, changepw, hash, tgssub, currentluid, logonsession, asrep2kirbi, kirbi — Utility commands for credential operations, hash calculation, ticket modification, and session inspection.

Build docs developers (and LLMs) love