https://az0th.it/tags/rubeus/ Recent content in Rubeus on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/kali/kerberos-attacks/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/kali/kerberos-attacks/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Attack</th> <th>Tool</th> <th>Hashcat Mode</th> <th>Requirement</th> </tr> </thead> <tbody> <tr> <td>AS-REP Roasting</td> <td>GetNPUsers.py / kerbrute</td> <td>-m 18200</td> <td>DONT_REQ_PREAUTH flag set</td> </tr> <tr> <td>Kerberoasting</td> <td>GetUserSPNs.py</td> <td>-m 13100 (RC4) / -m 19700 (AES)</td> <td>Valid domain user + SPN exists</td> </tr> <tr> <td>Pass-the-Ticket</td> <td>getTGT.py + impacket</td> <td>N/A</td> <td>Valid credentials or hash</td> </tr> <tr> <td>Overpass-the-Hash</td> <td>getTGT.py -aesKey</td> <td>N/A</td> <td>AES256 key for user</td> </tr> <tr> <td>Kerbrute userenum</td> <td>kerbrute</td> <td>N/A</td> <td>Network access to DC on port 88</td> </tr> <tr> <td>Ticket conversion</td> <td>ticket_converter.py</td> <td>N/A</td> <td>Existing .kirbi or .ccache</td> </tr> </tbody> </table> <hr> <h2 id="as-rep-roasting">AS-REP Roasting</h2> <p>AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (<code>DONT_REQ_PREAUTH</code> flag set in <code>userAccountControl</code>). The KDC returns an AS-REP containing a portion encrypted with the user&rsquo;s hash — no prior authentication required, making it requestable by anyone.</p> https://az0th.it/ad/windows/kerberos-attacks/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/kerberos-attacks/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Attack</th> <th>Tool</th> <th>Prerequisite</th> <th>Output</th> </tr> </thead> <tbody> <tr> <td>Kerberoasting</td> <td>Rubeus, PowerView</td> <td>Domain user, SPN exists</td> <td>RC4/AES hash → offline crack</td> </tr> <tr> <td>AS-REP Roasting</td> <td>Rubeus</td> <td>Domain user, pre-auth disabled on target</td> <td>AS-REP hash → offline crack</td> </tr> <tr> <td>Pass-the-Ticket</td> <td>Rubeus, Mimikatz</td> <td>Valid .kirbi or base64 ticket</td> <td>Ticket injected into session</td> </tr> <tr> <td>Overpass-the-Hash</td> <td>Mimikatz, Rubeus</td> <td>NTLM or AES hash</td> <td>TGT obtained, ticket injected</td> </tr> <tr> <td>Pass-the-Key</td> <td>Mimikatz</td> <td>AES256 hash</td> <td>TGT obtained via AES pre-auth</td> </tr> <tr> <td>Ticket Extraction</td> <td>Rubeus, Mimikatz</td> <td>Local admin (for other users&rsquo; tickets)</td> <td>.kirbi files / base64 tickets</td> </tr> <tr> <td>TGT Delegation</td> <td>Rubeus tgtdeleg</td> <td>Domain user, no local admin needed</td> <td>Usable TGT</td> </tr> <tr> <td>Ticket Harvesting</td> <td>Rubeus harvest/monitor</td> <td>Local admin</td> <td>Ongoing TGT collection</td> </tr> <tr> <td>Unconstrained Delegation Abuse</td> <td>Rubeus monitor + coerce</td> <td>Local admin on delegation host</td> <td>Victim TGT captured</td> </tr> </tbody> </table> <hr> <h2 id="hashcat-cracking-modes-reference">Hashcat Cracking Modes Reference</h2> <table> <thead> <tr> <th>Mode</th> <th>Hash Type</th> <th>Attack Context</th> </tr> </thead> <tbody> <tr> <td>13100</td> <td>Kerberoast — RC4 (TGS-REP)</td> <td>Kerberoasting with /rc4opsec</td> </tr> <tr> <td>19600</td> <td>Kerberoast — AES128 (TGS-REP)</td> <td>Kerberoasting with /aes</td> </tr> <tr> <td>19700</td> <td>Kerberoast — AES256 (TGS-REP)</td> <td>Kerberoasting with /aes</td> </tr> <tr> <td>18200</td> <td>AS-REP — RC4 (krb5asrep)</td> <td>AS-REP Roasting</td> </tr> <tr> <td>17200</td> <td>DPAPI masterkey</td> <td>Seatbelt / Mimikatz DPAPI</td> </tr> <tr> <td>1000</td> <td>NTLM</td> <td>Pass-the-Hash, secretsdump output</td> </tr> <tr> <td>5600</td> <td>NTLMv2 (Net-NTLMv2)</td> <td>Responder / NTLM relay capture</td> </tr> <tr> <td>7500</td> <td>Kerberos 5 AS-REQ (etype 23)</td> <td>Pre-auth brute force</td> </tr> <tr> <td>3000</td> <td>LM</td> <td>Legacy — rarely seen</td> </tr> </tbody> </table> <hr> <h2 id="kerberoasting">Kerberoasting</h2> <p>Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account&rsquo;s password hash, enabling offline cracking.</p> https://az0th.it/ad/windows/delegation-attacks/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/delegation-attacks/ Abusing Kerberos delegation (Unconstrained, Constrained, RBCD, Shadow Credentials) from a Windows foothold using Rubeus, PowerView, and PowerMad. https://az0th.it/ad/windows/domain-trusts/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/domain-trusts/ Enumerating and exploiting Active Directory domain and forest trusts from a Windows foothold: SID history injection, golden ticket cross-domain, inter-realm key abuse. https://az0th.it/ad/windows/persistence/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/persistence/ Domain persistence techniques after AD compromise: Golden/Silver/Diamond Tickets, DCSync backdoors, AdminSDHolder, ACL abuse, WMI subscriptions, and DPAPI backup keys. https://az0th.it/ad/windows/adcs-attacks/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/adcs-attacks/ Active Directory Certificate Services exploitation from Windows: ESC1-ESC8 with Certify, ForgeCert, Rubeus, and Pass-the-Certificate.