Rubeus: Raw Kerberos Protocol Manipulation for Active Directory Security Testing
Hook
While most offensive security tools wrap existing Windows APIs, Rubeus rebuilds Kerberos from scratch—implementing ASN.1 encoding to forge authentication tickets that domain controllers trust implicitly.
Context
Active Directory security has traditionally been tested using tools like Mimikatz or Python’s Impacket suite, but each had limitations. Mimikatz excels at memory-resident credential extraction but treats Kerberos as a secondary feature. Impacket provides cross-platform protocol implementations but lacks the deep Windows integration needed for advanced LUID manipulation and logon session hijacking. Benjamin Delpy’s Kekeo pioneered raw Kerberos manipulation, but its development slowed as attack techniques evolved. Rubeus emerged as a C# toolkit that treats Kerberos protocol manipulation as a first-class concern. Named after the three-headed dog guarding the underworld—a reference to Kerberos’s mythological namesake—the tool directly implements ASN.1 encoding/decoding required to speak to domain controllers without relying on Windows’s built-in Kerberos libraries. According to the README, Rubeus is heavily adapted from Benjamin Delpy’s Kekeo project and Vincent LE TOUX’s MakeMeEnterpriseAdmin project, with significant contributions from Charlie Clark and Ceri Coburn as co-developers. This architectural approach enables attacks that would be impossible through standard APIs: forging golden tickets with custom attributes, performing S4U2Self delegation on behalf of arbitrary users, or requesting tickets with PKINIT certificates.
Technical Insight
Rubeus’s power stems from its ASN.1-level implementation of the Kerberos protocol. Instead of calling standard Windows authentication APIs like AcquireCredentialsHandle or InitializeSecurityContext, Rubeus uses Thomas Pornin’s DDer library (released with an MIT-like license, as confirmed in the README) to manually construct and parse Kerberos messages as byte arrays.
Consider a typical Kerberoasting attack. The README confirms that the KerberosRequestorSecurityToken.GetRequest method for Kerberoasting was contributed by @machosec to PowerView and then incorporated into Rubeus. The tool also offers raw protocol approaches that construct requests manually, giving precise control over ticket attributes and encryption types.
This low-level control enables features like the /opsec flag mentioned in the command-line usage, which appears to modify ticket requests to avoid suspicious patterns. The tool’s LUID manipulation capabilities demonstrate another architectural advantage. Windows maintains separate logon sessions identified by Locally Unique Identifiers (LUIDs). Based on the command-line examples in the README, Rubeus can inject tickets into specific LUIDs or create logon sessions using the createnetonly command, separating malicious tickets from your primary logon session.
PKINIT support showcases Rubeus’s protocol completeness. The README states that PKINIT code was heavily adapted from Steve Syfuhs’s Bruce tool, which made RFC4556 (PKINIT) easier to understand. The command-line usage shows Rubeus can authenticate using PKCS12 certificate files or certificates from the user’s keystore (smartcard) by specifying thumbprint or subject:
Rubeus.exe asktgt /user:USER /certificate:C:\temp\leaked.pfx /password:STOREPASSWORD /createnetonly:C:\Windows\System32\cmd.exeThis enables certificate-based authentication attacks where traditional password-based methods leave more artifacts in logs.
The delegation abuse commands demonstrate Rubeus’s understanding of Windows’s protocol extensions. The README documents the s4u command for constrained delegation abuse, with Elad Shamir credited for contributing essential work on resource-based constrained delegation. Service-for-User-to-Self (S4U2Self) and Service-for-User-to-Proxy (S4U2Proxy) allow services to obtain tickets on behalf of users—functionality that Rubeus weaponizes for privilege escalation and lateral movement.
Gotcha
Rubeus generates forensic artifacts with every ticket request. The tool’s operations appear likely to generate Windows security event logs, though the exact detection mechanisms depend on your environment’s logging configuration. The /opsec flag mentioned in the command-line usage may help reduce detection, but doesn’t eliminate it—defenders with proper monitoring can still identify unusual Kerberos patterns.
Privilege requirements create operational constraints. Based on the command descriptions, extracting tickets from memory (the dump command) likely requires elevated privileges, while creating logon sessions with createnetonly appears to work with standard user access. The monitor command that watches for new TGTs as users log in likely requires appropriate access to security logs. These restrictions mean Rubeus typically serves as a post-exploitation tool rather than an initial access vector.
The Windows/.NET dependency creates deployment challenges. Rubeus is written in C# and targets the .NET Framework, which exists on Windows systems but complicates cross-platform operations. Running Rubeus from Linux attack platforms requires either compatibility layers or pivoting through Windows hosts. Some organizations block .NET execution outside approved paths using application control policies, requiring you to load Rubeus reflectively—adding complexity and additional detection opportunities. The tool also lacks automation features found in integrated frameworks; you’re manually chaining commands rather than executing playbooks.
The README’s compile instructions and the BSD 3-Clause license indicate this is an open-source project, but the Opsec Notes section emphasizes weaponization considerations, making clear this is designed for offensive security testing rather than defensive or administrative purposes.
Verdict
Use Rubeus if you’re conducting authorized red team engagements against Active Directory environments where your scope includes Kerberos protocol abuse and testing detection capabilities for ticket-based attacks. Based on the README’s documented commands, it’s well-suited for demonstrating attacks like Kerberoasting (kerberoast command), AS-REP roasting (asreproast command), golden ticket creation (golden command), silver ticket creation (silver command), and delegation abuse (s4u command). Use it when you need granular control over ticket attributes, encryption types, or logon session targeting. The comprehensive command set including asktgt, asktgs, renew, ptt, purge, describe, triage, dump, monitor, and harvest provides the toolkit needed for thorough Kerberos security assessments. Skip Rubeus if you’re operating from non-Windows platforms and can’t easily pivot through Windows hosts—cross-platform alternatives may cover common use cases with better compatibility. Skip it for operations where detection risk outweighs capability, as the tool’s activities generate identifiable artifacts. Skip it if you lack Active Directory domain knowledge—Rubeus assumes you understand Kerberos workflows, delegation types, and ticket attribute meanings. Most importantly, use Rubeus only with explicit written authorization for security testing; this is a purpose-built offensive security tool, and unauthorized use constitutes a serious legal violation.
