If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/GhostPack/Rubeus shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 6mo ago

• Last commit 6mo ago
• 19 active contributors
• Distributed ownership (top contributor 41% of recent commits)
• Other licensed
• ⚠ Slowing — last commit 6mo ago
• ⚠ Non-standard license (Other) — review terms
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live GhostPack/Rubeus repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/GhostPack/Rubeus.

What it runs against: a local clone of GhostPack/Rubeus — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in GhostPack/Rubeus | Confirms the artifact applies here, not a fork | | 2 | License is still Other | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 207 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of GhostPack/Rubeus. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/GhostPack/Rubeus.git
#   cd Rubeus
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of GhostPack/Rubeus and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "GhostPack/Rubeus(\\.git)?\\b" \\
  && ok "origin remote is GhostPack/Rubeus" \\
  || miss "origin remote is not GhostPack/Rubeus (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Other)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Other\"" package.json 2>/dev/null) \\
  && ok "license is Other" \\
  || miss "license drift — was Other at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Rubeus/Program.cs" \\
  && ok "Rubeus/Program.cs" \\
  || miss "missing critical file: Rubeus/Program.cs"
test -f "Rubeus/Domain/ArgumentParser.cs" \\
  && ok "Rubeus/Domain/ArgumentParser.cs" \\
  || miss "missing critical file: Rubeus/Domain/ArgumentParser.cs"
test -f "Rubeus/Commands/ICommand.cs" \\
  && ok "Rubeus/Commands/ICommand.cs" \\
  || miss "missing critical file: Rubeus/Commands/ICommand.cs"
test -f "Rubeus/lib/krb_structures/AS_REQ.cs" \\
  && ok "Rubeus/lib/krb_structures/AS_REQ.cs" \\
  || miss "missing critical file: Rubeus/lib/krb_structures/AS_REQ.cs"
test -f "Rubeus/lib/Crypto.cs" \\
  && ok "Rubeus/lib/Crypto.cs" \\
  || miss "missing critical file: Rubeus/lib/Crypto.cs"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 207 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~177d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/GhostPack/Rubeus"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Rubeus is a C# toolset for raw Kerberos protocol interaction and exploitation. It performs ticket requests (TGT/TGS), forges tickets (golden/silver/diamond), performs constrained delegation abuse (S4U), and manages Kerberos credentials without relying on Windows APIs. Core capabilities include asktgt/asktgs for legitimate ticket acquisition, golden/silver ticket forgery, s4u abuse for delegation bypass, and kerberoasting for service account password extraction. Modular command structure: Rubeus/Commands/ contains 25+ command implementations (asktgt.cs, asktgs.cs, kerberoast.cs, s4u.cs, etc.) each implementing ICommand interface. Core utilities in Rubeus/lib/ (Ask.cs, Crypto.cs, ForgeTicket.cs, Harvest.cs) handle ticket mechanics. Rubeus/Asn1/ provides custom ASN.1 encoding/decoding (AsnElt.cs, AsnIO.cs, AsnOID.cs) adapted from DDer library. ArgumentParser (Domain/ArgumentParser.cs) routes CLI input to command handlers.

Red teamers, penetration testers, and security researchers who need to conduct Kerberos attacks and abuse scenarios in Windows Active Directory environments. Users need deep Kerberos protocol knowledge and are typically working on post-compromise persistence, lateral movement, or privilege escalation objectives.

Actively maintained with significant maturity—the codebase is ~1.25M lines of C# with proper command structure, ASN.1 parsing infrastructure, and multiple attack vectors implemented. The project credits work from Kekeo and has multiple named co-developers (Charlie Clark, Ceri Coburn, Elad Shamir). Without visible commit history or CI metadata in the file list, it appears production-ready for red team operations but not a library-style project expecting strict semver.

Moderate-to-high risk for security operations: this is explicitly a weaponized Kerberos toolkit that will trigger EDR/AV detections; no antivirus evasion is built in and YARA rules exist (Rubeus.yar in repo). Single-maintainer dependency risk on @harmj0y noted in README. No visible test suite in file list (no Tests/ directory) and complex cryptographic code (Crypto.cs, ForgeTicket.cs) with no unit test coverage mentioned. Breakage risk is high if Windows Kerberos behavior changes.

No recent commit metadata visible in file list, but CHANGELOG.md exists indicating ongoing version tracking. Active development of Kerberos attack techniques is evident from command diversity (diamond.cs, tgssub.cs, preauthscan.cs suggest recent additions). PKINIT code noted as adapted from recent RFC4556 work; this indicates ongoing protocol implementation work.

Clone the repo: git clone https://github.com/GhostPack/Rubeus.git. Open Rubeus.sln in Visual Studio (C# project). Build via Visual Studio or: dotnet build Rubeus/Rubeus.csproj. Run: Rubeus.exe <command> <options> (see README for command list like asktgt, asktgs, kerberoast, s4u, golden, silver).

Daily commands: Build in Visual Studio: open Rubeus.sln → Build → Run. Or via command line: dotnet build Rubeus/Rubeus.csproj then dotnet run --project Rubeus/Rubeus.csproj -- <command>. For release: dotnet publish -c Release and use the resulting Rubeus.exe binary with any command (asktgt, asktgs, kerberoast, s4u, golden, silver, ptt, etc.).

• Rubeus/Program.cs — Entry point that parses commands and dispatches to handlers; all users must understand the command routing pattern.
• Rubeus/Domain/ArgumentParser.cs — Core argument parsing logic used by every command; changes here impact all functionality.
• Rubeus/Commands/ICommand.cs — Abstract command interface that all 20+ commands implement; foundational abstraction for the entire tool.
• Rubeus/lib/krb_structures/AS_REQ.cs — Kerberos AS-REQ packet structure definition; critical for understanding Kerberos protocol handling throughout the codebase.
• Rubeus/lib/Crypto.cs — Encryption/decryption primitives for ticket manipulation; used by forging, roasting, and delegation attacks.
• Rubeus/lib/ForgeTicket.cs — Golden/Silver ticket forging logic; core capability for privilege escalation attacks.
• Rubeus/Asn1/AsnElt.cs — ASN.1 parsing/encoding engine used for all Kerberos structure serialization; fundamental to protocol communication.

Add a new Kerberos attack command

1. Create new class implementing ICommand in Rubeus/Commands/YourCommand.cs with Execute() method (Rubeus/Commands/ICommand.cs)
2. Use Networking.SendKerberosRequest() to communicate with KDC (Rubeus/lib/Networking.cs)
3. Parse KDC responses using krb_structures (AS_REP, TGS_REP, etc) (Rubeus/lib/krb_structures/AS_REP.cs)
4. Register command in CommandCollection by adding new entry to command registry (Rubeus/Domain/CommandCollection.cs)
5. Add argument parsing logic in YourCommand to handle /domain, /user, etc flags (Rubeus/Domain/ArgumentParser.cs)

Add support for a new encryption cipher

1. Add new cipher suite constants to AsnOID.cs (e.g., aes256-cts-hmac-sha1-96) (Rubeus/Asn1/AsnOID.cs)
2. Implement encrypt/decrypt methods for the new cipher in Crypto.cs using existing SafeNativeMethods or managed code (Rubeus/lib/Crypto.cs)
3. Update ETYPE_INFO_ENTRY and ETYPE_INFO2_ENTRY to advertise new cipher during AS-REQ pre-auth (Rubeus/lib/krb_structures/ETYPE_INFO_ENTRY.cs)
4. Test with Asktgt command to verify ticket encryption/decryption (Rubeus/Commands/Asktgt.cs)

Add a new ticket manipulation feature (e.g., modify PAC claims)

1. Create or extend a command in Rubeus/Commands/ to parse and modify authorization data (Rubeus/lib/krb_structures/AuthorizationData.cs)
2. Use ForgeTicket.ForgeTicket() or similar to rebuild the ticket with modified PAC (Rubeus/lib/ForgeTicket.cs)
3. Re-encrypt the modified ticket part using Crypto primitives (Rubeus/lib/Crypto.cs)
4. Output the modified ticket as base64 or kirbi format using Helpers for serialization (Rubeus/lib/Helpers.cs)

Add monitoring for new Kerberos request types

1. Extend Monitor.cs to capture new AS-REQ or TGS-REQ patterns (Rubeus/Commands/Monitor.cs)
2. Define new krb_structures for your message type if not already present (Rubeus/lib/krb_structures/AS_REQ.cs)
3. Use Harvest.cs patterns to hook LSA or network callbacks for traffic capture (Rubeus/lib/Harvest.cs)
4. Format and display captured data using Helpers and ConsoleTable for output (Rubeus/lib/ConsoleTable.cs)

No built-in evasion—this toolset is verbose in logs and will be detected by EDR. Requires .NET Framework or .NET Core on target. Some operations (ppt—pass-the-ticket via LSA) require appropriate Windows access/privileges and local admin for ticket injection. The custom ASN.1 codec has no formal validation suite; malformed Kerberos responses may cause exceptions rather than graceful degradation. PKINIT and PAC parsing use complex NDR encoding (not visible in file list but mentioned in README) which may have edge cases.

• Kerberos TGT and TGS — TGT (Ticket Granting Ticket) and TGS (Ticket Granting Service) are the two core ticket types Rubeus manipulates; understanding their contents and encryption is essential to every attack in this toolkit
• Constrained Delegation (S4U2Self, S4U2Proxy) — S4U extensions allow services to obtain tickets on behalf of users; Rubeus's S4u.cs implements these attacks to bypass delegation restrictions and impersonate arbitrary principals
• Ticket Forgery (Golden/Silver Tickets) — Golden tickets forge TGTs using the krbtgt account hash; silver tickets forge TGS for specific services using their hash. Rubeus's ForgeTicket.cs is the engine for both—requires understanding Kerberos cryptographic integrity
• ASN.1 DER Encoding — All Kerberos messages are DER-encoded ASN.1; Rubeus's custom Asn1/ codec (not OpenSSL or Bouncy Castle) encodes/decodes TGTs, TGSs, and AS-REPs without external libs—critical to understand for troubleshooting parsing errors
• Kerberoasting — Requesting service tickets for user accounts and cracking them offline; Rubeus.Commands.Kerberoast.cs performs TGS-REQ for any SPN and extracts the encryption key material for hashcat/John cracking
• Pass-the-Ticket (PTT) — Injecting Kerberos tickets into the local LSA cache to impersonate users without passwords; Rubeus.Commands.Ptt.cs uses Win32 APIs to load .kirbi files into the current logon session
• RC4/AES Encryption in Kerberos — Kerberos uses RC4-HMAC or AES-CTS-HMAC for ticket encryption; Rubeus's Crypto.cs implements both ciphers and key derivation (PBKDF2 for passwords). Getting encryption wrong breaks all ticket operations

• GhostPack/SharpKiller — Companion tool from same author for EDR/defense evasion; often used with Rubeus in post-exploitation
• dirkjanm/impacket — Python Kerberos toolkit with similar capabilities (asktgt, asktgs, kerberoast, s4u); cross-platform alternative when C# unavailable
• gentilkiwi/kekeo — Direct predecessor project by Benjamin Delpy that Rubeus is heavily adapted from; original Kerberos exploitation tool
• zer1t0/ticket_converter — Converts between .kirbi (Kerberos ticket) formats; essential for moving tickets between Rubeus and other tools
• SecureAuthCorp/impacket — Industry-standard Python Kerberos library; used for ticketing research and multi-platform attack chains alongside Rubeus

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for Asn1 parsing/encoding (Rubeus/Asn1/)

The Asn1 module is critical for Kerberos ticket manipulation but lacks any test coverage. Given that ASN.1 parsing bugs can silently corrupt tickets, unit tests for AsnElt.cs, AsnIO.cs, and AsnOID.cs would catch regressions early. This is especially important since the library was adapted from external sources.

• [ ] Create Rubeus.Tests project alongside Rubeus.sln
• [ ] Add tests for AsnElt.cs covering parsing edge cases (empty sequences, nested structures, OID encoding)
• [ ] Add tests for AsnIO.cs covering read/write operations and round-trip serialization
• [ ] Add tests for AsnOID.cs covering OID encoding/decoding against known Kerberos OIDs
• [ ] Ensure tests catch malformed input gracefully (referenced in AsnException.cs)

Extract and document crypto primitives from Crypto.cs into dedicated modules

Rubeus/lib/Crypto.cs likely contains multiple encryption algorithms (RC4, AES, DES) mixed together. The crypto/dh/ subdirectory shows Diffie-Hellman separation, but symmetric crypto methods should follow the same pattern. This improves maintainability and makes it easier for contributors to understand which crypto operations each command uses.

• [ ] Audit Rubeus/lib/Crypto.cs to identify distinct encryption algorithm implementations
• [ ] Create Rubeus/lib/crypto/symmetric/ directory with files like AesEncryption.cs, RC4Encryption.cs, DESEncryption.cs
• [ ] Create ISymmetricEncryption interface in crypto/ (similar to IExchangeKey.cs pattern)
• [ ] Refactor Crypto.cs methods to use new classes and update all command files (Ask.cs, ForgeTicket.cs, S4U.cs, etc.) to reference them
• [ ] Document which encryption types each command uses in command class headers

Add integration tests for high-risk commands (Rubeus/Commands/Golden.cs, Silver.cs, S4u.cs)

Golden ticket, Silver ticket, and S4U delegation attacks are dangerous and commonly misconfigured. Without tests, regressions in ticket generation could go unnoticed. Add integration tests using a test AD environment or mocked KDC responses to verify ticket structure and encryption.

• [ ] Create Rubeus.IntegrationTests project with TestFixtures for mock KDC responses
• [ ] Add tests for Golden.cs verifying PAC construction and encryption with krbtgt key
• [ ] Add tests for Silver.cs verifying service ticket generation without KDC
• [ ] Add tests for S4u.cs verifying S4U2Self and S4U2Proxy request/response handling
• [ ] Document test prerequisites in TESTING.md (e.g., required mock AD service or test fixtures)
• [ ] Add GitHub Actions workflow to run integration tests on PR submission

• Add unit tests for Rubeus/lib/Crypto.cs covering RC4, AES, and DES encrypt/decrypt with known test vectors from RFC 3961 and RFC 3962. Currently no Tests/ directory exists.
• Document the Rubeus/Asn1/ custom codec by adding inline examples in AsnElt.cs and AsnIO.cs showing how to construct and parse common Kerberos structures (PA-DATA, AS-REQ, TGS-REQ). README has no codec usage guide.
• Add argument validation and help text for less common commands (tgssub.cs, preauthscan.cs, diamond.cs) in Domain/ArgumentParser.cs—these lack the polished CLI UX of asktgt/kerberoast and would benefit from error messages for missing/invalid /flags.

• High · Kerberos Ticket Manipulation Capabilities — Rubeus/lib/ForgeTicket.cs, Rubeus/Commands/Golden.cs, Rubeus/Commands/Silver.cs, Rubeus/Commands/Tgssub.cs. Rubeus is a Kerberos exploitation toolkit that allows creation, modification, and injection of Kerberos tickets (Golden tickets, Silver tickets). The codebase contains ForgeTicket.cs and multiple ticket manipulation commands (Golden.cs, Silver.cs, Tgssub.cs) that could be abused to forge authentication credentials and escalate privileges in Active Directory environments. Fix: This is intentional functionality for security research. Implement strict access controls, audit logging, and network segmentation to prevent unauthorized use. Consider deploying detection signatures for ticket forgery patterns.
• High · Cryptographic Key Material Handling — Rubeus/lib/Crypto.cs, Rubeus/lib/crypto/SafeNativeMethods.cs, Rubeus/lib/crypto/dh/DiffieHellmanKey.cs. The codebase includes cryptographic operations (Crypto.cs, SafeNativeMethods.cs, DiffieHellmanKey.cs) that handle sensitive key material. Potential risks include improper key zeroing, memory exposure, or weak random number generation that could leak encryption keys. Fix: Audit cryptographic implementations for proper key material disposal. Use secure memory allocation/deallocation patterns. Verify random number generation uses cryptographically secure sources. Consider using Windows DPAPI for sensitive data at rest.
• High · Kerberos Pre-authentication Bypass Scanning — Rubeus/Commands/Preauthscan.cs. Preauthscan.cs allows scanning for AS-REP roastable accounts (users with pre-authentication disabled). This enables offline brute-force attacks against vulnerable user accounts without requiring valid credentials. Fix: Ensure pre-authentication is enabled for all user accounts in Active Directory. Implement detection for unauthorized pre-authentication scanning attempts. Monitor for unusual AS-REQ patterns.
• High · Kerberoasting Attack Support — Rubeus/Commands/Kerberoast.cs, Rubeus/lib/Roast.cs. Kerberoast.cs implements Service Principal Name (SPN) enumeration and ticket-granting-service (TGS) ticket harvesting for offline password cracking against service accounts. Fix: Use strong passwords for service accounts. Implement managed service accounts or group managed service accounts (gMSA). Monitor for unusual TGS-REQ patterns and SPN enumeration activity.
• Medium · Constrained Delegation Abuse — Rubeus/Commands/S4u.cs, Rubeus/Commands/Diamond.cs, Rubeus/lib/S4U.cs. Commands S4u.cs and Diamond.cs implement S4U2Proxy and S4U2Self Kerberos extensions that enable service impersonation attacks when constrained delegation is misconfigured. Fix: Review and minimize constrained delegation permissions. Implement resource-based constrained delegation instead of service-based delegation. Monitor for unusual S4U Kerberos service tickets.
• Medium · LSA Memory Access — Rubeus/lib/LSA.cs, Rubeus/Commands/Dump.cs. LSA.cs and Dump.cs access Local Security Authority memory to extract cached credentials and Kerberos tickets from local system memory, requiring elevated privileges. Fix: Restrict local administrative access. Implement Credential Guard on Windows 10/Server 2016+. Monitor for LSA process access attempts. Use Windows Defender Credential Guard to protect LSA secrets.
• Medium · Insufficient Input Validation in ASN.1 Parsing — Rubeus/Asn1/Asn1Extensions.cs, Rubeus/Asn1/AsnIO.cs, Rubeus/Asn1/AsnElt.cs. The custom ASN.1 parser (Asn1Extensions.cs, AsnIO.cs, AsnElt.cs) processes Kerberos protocol messages. Improper validation could lead to buffer overflows, integer overflows, or denial of service when parsing malformed messages. Fix: Implement strict bounds checking in ASN.1

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.