Leveraging ‘Rubeus’ for Active Directory Penetration Testing (Part One) 

The rapidly evolving, complex cybersecurity landscape places Active Directory (AD) at the forefront of many cyber threats. As a crucial component of network infrastructures, AD is targeted by attackers looking to exploit its vulnerabilities. “Rubeus” emerges as a pivotal tool for security professionals, offering advanced capabilities that thoroughly assess and strengthen AD defenses. This guide delves into utilizing Rubeus to conduct in-depth Active Directory pentesting while highlighting its diverse modules designed to explore various AD vulnerabilities. 

Understanding Rubeus 

Rubeus specializes in interactions with the Kerberos protocol, an essential component of Windows AD environments. It’s designed to perform a wide range of attacks and manipulations on Kerberos tickets, positioning it as an indispensable tool for penetration testers aiming to uncover and exploit Kerberos-based vulnerabilities. 

Core Features: 

      • Kerberos Ticket Examination: Rubeus provides detailed inspection and manipulation capabilities for Kerberos tickets which are essential for understanding the authentication flows within AD. 

      • Credential Access and Manipulation: It includes features for accessing and exploiting authentication credentials vital for assessing the security of AD environments. 

    Installation: 

    You can find Rubeus on GitHub here.

    You can then use your preferred .NET compiler to generate the Rubeus executable. 

    Advanced Modules Overview 

    Rubeus comes equipped with modules designed to target specific vulnerabilities within AD, each serving a unique purpose in the AD penetration testing process. We will be looking at just a few of the many modules this tool has to offer when you find yourself in an Active Directory environment with access to a Windows host during a penetration test. 

    Kerberoast 

    Kerberoasting takes advantage of the way service accounts are implemented in Kerberos, allowing attackers to crack the passwords of those accounts by extracting hash values from Ticket Granting Service (TGS) tickets. 

        • Practical Application: This module is pivotal in identifying weak service account passwords that could be exploited to gain higher privileges within the AD environment. 

      Rubeus.exe kerberoast /nowrap 

      Tip: To specify the output file, use the /outfile flag, followed by the full path of where the hashes should be written. 

      AS-REPRoast 

      AS-REP roasting exploits a feature of Kerberos where some accounts are configured not to require pre-authentication. Attackers use this feature to request authentication data for a user without providing a valid timestamp, enabling them to attempt offline cracking of the user’s password. 

          • Practical Application: This technique is particularly effective against accounts that enable the “Do not require Kerberos pre-authentication” option. Penetration testers can use this method to identify weak passwords that could be exploited to gain unauthorized access to sensitive resources. 

        Rubeus.exe s4u asreproast /nowrap  

        Tip: If you want to specify just one user to target, add the /user flag to the command above. 

        Monitor 

        The monitor module watches for Kerberos ticket requests and renewals in real time, offering immediate insights into authentication activities and identifying potential security breaches as they occur. 

            • Practical Application: Real-time monitoring is critical for detecting and responding to anomalous authentication activities that may indicate an ongoing attack or exploitation attempt. 

          Rubeus.exe monitor /interval:10 /nowrap 

          Tip: Use your favorite authentication coercion tools to force users or computers to authenticate to your victim machine to grab additional Kerberos tickets.  

          Triage 

          Triage is used for collecting and displaying all available Kerberos tickets on a host, aiding in the identification of active user sessions and potential targets for escalation or lateral movement. 

              • Practical Application: It helps in assessing the current security posture by enumerating valid tickets, which could be misused if compromised. 

            Rubeus.exe triage 

            Dump 

            Dumping Kerberos ticket data allows for the offline analysis of tickets, providing insights into the authentication states, vulnerabilities, and potential for misuse within the AD environment. 

                • Practical Application: This module is essential for conducting detailed forensic analysis and understanding the intricacies of Kerberos ticketing within the network. 

              Rubeus.exe dump /luid:<luid> /nowrap 

              Tip: To dump a specific ticket, use the triage module above and specify the luid when running the dump command.  

              CreateNetOnly 

              This module helps create a process that runs under a designated user’s context, aiding in lateral movement by allowing an attacker to execute commands or access resources as another user. 

                  • Practical Application: It’sbeneficial in scenarios where maintaining stealth is crucial, as it allows actions to be taken under the guise of a legitimate user’s identity without altering their current sessions. 

                Rubeus.exe createnetonly /program:”cmd.exe” /domain:<domain> /user:<user> /password:<password> 

                Tip: To show the newly spawned program (i.e., cmd.exe, powershell.exe, etc), add the /show flag to the command. 

                Is your team looking to leverage Rubeus to strengthen your AD defenses? Contact us today and explore how we can enhance your security with in-depth penetration testing.

                Share to

                Share

                Share to

                Like our content? Subscribe and stay informed.