🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🎟️ Rubeus / ptt / purge / describe

ptt / purge / describe

Ticket management: inject, remove, and inspect Kerberos tickets.

ptt β€” Pass the Ticket

Inject a TGT or service ticket into the current (or specified) logon session.

Usage

Rubeus.exe ptt </ticket:<ticket> | /ticket:<file>.kirbi> [/luid:<luid>]

Options

  • /ticket:<ticket> β€” base64 ticket blob or path to .kirbi file
  • /luid:<luid> β€” target logon session ID (elevation required)

Examples

# Apply ticket to current session
Rubeus.exe ptt /ticket:<ticket>

# Apply to another session (elevated)
Rubeus.exe ptt /luid:0x474722b /ticket:<ticket>

purge β€” Purge Tickets

Remove all Kerberos tickets from the current (or specified) logon session.

Usage

Rubeus.exe purge [/luid:<luid>]

Options

  • /luid:<luid> β€” target logon session to purge (elevation required)

Examples

# Purge current session
Rubeus.exe purge

# Purge specific session (elevated)
Rubeus.exe purge /luid:0x474722b

describe β€” Describe Ticket

Parse and display information about a TGT or service ticket. Optionally decrypt the EncTicketPart to show PAC contents.

Usage

Rubeus.exe describe </ticket:<ticket> | /ticket:<file>.kirbi> [/servicekey:<hash>] [/krbkey:<hash>] [/asrepkey:<hash>] [/serviceuser:<username>] [/servicedomain:<domain>] [/desplaintext:<first-block-text>]

Options

  • /ticket:<ticket> β€” base64 blob or .kirbi file path
  • /servicekey:<hash> β€” service account key to decrypt EncTicketPart and verify ServerChecksum
  • /krbkey:<hash> β€” krbtgt key to verify KDCChecksum and TicketChecksum
  • /asrepkey:<hash> β€” AS-REP session key (for PKINIT U2U scenarios)
  • /serviceuser:<username> β€” form crackable AES hash from AES256 service ticket
  • /servicedomain:<domain> β€” domain for /serviceuser (required with that flag)

Examples

# Basic description
Rubeus.exe describe /ticket:<ticket>

# Show decrypted PAC (need service/krbtgt key)
Rubeus.exe describe /ticket:<ticket> /servicekey:<aes256-key>

# Extract Kerberoast hash from RC4 service ticket
Rubeus.exe describe /ticket:<service-ticket>

# Get AES Kerberoast hash
Rubeus.exe describe /ticket:<ticket> /serviceuser:<username> /servicedomain:<domain>

Notes

  • If ticket is a service ticket encrypted with RC4, a Kerberoast-compatible hash ($krb5tgs$23$...) is automatically extracted
  • If ticket is AES-encrypted and /servicekey is not provided, only metadata is shown
  • The PAC includes: LogonInfo, ClientName, UpnDns, ServerChecksum, KDCChecksum