Rubeus is a Windows command-line executable that communicates directly with Active Directory domain controllers over Kerberos port 88. This guide walks you through obtaining the binary, verifying it works, requesting your first TGT, and inspecting the tickets cached in your current logon session — all in a few minutes.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
Before you begin, confirm you have the following:- A Windows machine joined to an Active Directory domain (or network access to a domain controller)
- .NET Framework 3.5 or 4.0 installed (present by default on most domain-joined Windows machines)
- A valid domain user account and its password (or NTLM/AES hash)
Rubeus.exeobtained by compiling from source (see Building from Source) or from a trusted release
No elevated privileges are needed to request a TGT for your own account or to apply it to your current logon session. Operations such as dumping tickets for all users or applying tickets to another logon session do require elevation.
Steps
A successful run prints the Rubeus banner and the complete command list. If you see an error about a missing .NET runtime, install .NET Framework 4.0 from Windows Update or your enterprise software catalog.
Use
asktgt to request a Ticket Granting Ticket from the KDC and inject it directly into your current logon session with /ptt:On success, Rubeus prints a base64-encoded
.kirbi blob and confirms [+] Ticket successfully imported!. The TGT is now active in your logon session and will be used automatically for subsequent Kerberos authentications.Use
triage to display a summary table of all Kerberos tickets cached in your current logon session:If you are running as an elevated process,
triage lists tickets across all logon sessions on the host. The output shows the ticket owner, service name, encryption type, and expiry time at a glance.Use
dump to extract the full base64-encoded .kirbi blobs for all tickets in the current logon session:When elevated,
dump extracts tickets for every user on the system. The base64 output can be decoded back to a .kirbi file with:Global Flags
These flags apply to nearly every Rubeus command and are worth knowing before exploring further:| Flag | Description |
|---|---|
/nowrap | Prevents base64 ticket blobs from being line-wrapped. Use this when piping output or saving blobs to pass between tools. |
/debug | Outputs ASN.1 structure debugging information. Useful when diagnosing unexpected KDC responses. |
/consoleoutfile:C:\path\out.txt | Redirects all console output (stdout and stderr) to the specified file. |
The
/nowrap flag is especially important when copying a base64 ticket blob from the console to pass as a /ticket: argument to another command. Without it, the wrapped newlines will cause the base64 decode to fail.