Rubeus MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Rubeus MCP Serverkerberoast for corp.local"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Rubeus MCP Server
A Model Context Protocol (MCP) server for Kerberos abuse operations using Rubeus on Windows or Impacket on Linux/macOS.
Overview
This MCP server provides comprehensive tools for Kerberos-based security testing, wrapping the functionality of Rubeus (Windows) and Impacket (cross-platform) into a unified interface accessible through the Model Context Protocol.
Security Warning: This tool is intended for authorized security testing only. Unauthorized use against systems you do not own or have permission to test is illegal and unethical.
Features
Ticket Operations
asktgt - Request Ticket Granting Tickets (TGT) using passwords, hashes, or certificates
asktgs - Request Service Tickets (TGS) for specific SPNs
renew - Renew existing TGTs to extend validity
ptt - Pass-the-ticket to apply tickets to current session
purge - Remove tickets from logon sessions
describe - Parse and analyze ticket contents
Roasting Attacks
kerberoast - Extract service account password hashes via TGS requests
asreproast - Attack accounts without Kerberos pre-authentication
Ticket Extraction
dump - Extract all tickets from memory
triage - Quick summary of available tickets
klist - Detailed ticket listing
harvest - Continuously monitor and harvest new TGTs
monitor - Watch for new TGT events
tgtdeleg - Extract TGT without elevation using delegation trick
Delegation Abuse
s4u - Perform S4U2Self/S4U2Proxy constrained delegation attacks
Bronze Bit exploitation (CVE-2020-17049)
Ticket Forgery
golden - Forge Golden Tickets with krbtgt hash
silver - Forge Silver Tickets with service account hash
diamond - Forge Diamond Tickets (modified legitimate TGT)
Utilities
hash - Calculate Kerberos password hashes (RC4, AES128, AES256, DES)
changepw - Change user passwords using TGT
createnetonly - Create processes with different network credentials
tgssub - Substitute service names in tickets
Installation
Prerequisites
Windows (Native Rubeus):
Download Rubeus.exe from GhostPack
.NET Framework 4.0+
Linux/macOS (Impacket):
pip install impacketSetup
# Clone the repository
git clone https://github.com/schwarztim/sec-rubeus-mcp.git
cd sec-rubeus-mcp
# Install dependencies
npm install
# Build
npm run buildConfiguration
Configure via environment variables:
Variable | Description | Default |
| Path to Rubeus.exe (Windows) |
|
| Path to impacket scripts | System PATH |
| Directory for output files |
|
| Default AD domain | None |
| Default domain controller | None |
| Command timeout (ms) |
|
| Force impacket mode | Auto-detected |
Usage with Claude Desktop
Add to your Claude Desktop configuration (claude_desktop_config.json):
{
"mcpServers": {
"rubeus": {
"command": "node",
"args": ["/path/to/sec-rubeus-mcp/dist/index.js"],
"env": {
"RUBEUS_DOMAIN": "corp.example.com",
"RUBEUS_DC": "dc01.corp.example.com"
}
}
}
}Usage with Claude Code
Add to your MCP configuration:
{
"rubeus": {
"command": "node",
"args": ["/path/to/sec-rubeus-mcp/dist/index.js"],
"env": {
"RUBEUS_DOMAIN": "corp.example.com"
}
}
}Examples
Check Environment
Use rubeus_check_environment to verify your setupRequest a TGT
Use rubeus_asktgt with:
- user: "admin"
- domain: "corp.example.com"
- password: "Password123"Kerberoasting
Use rubeus_kerberoast with:
- domain: "corp.example.com"
- outfile: "hashes.txt"AS-REP Roasting
Use rubeus_asreproast with:
- domain: "corp.example.com"
- format: "hashcat"S4U Delegation Attack
Use rubeus_s4u with:
- user: "svc_account"
- rc4: "<ntlm_hash>"
- impersonateuser: "Administrator"
- msdsspn: "cifs/fileserver.corp.example.com"Cross-Platform Support
Feature | Windows (Rubeus) | Linux/macOS (Impacket) |
asktgt | Full | Full |
asktgs | Full | Full |
kerberoast | Full | Full |
asreproast | Full | Full |
s4u | Full | Full |
dump | Full | Via secretsdump |
Golden/Silver tickets | Full | Limited |
Ticket manipulation | Full | Limited |
Development
# Watch mode for development
npm run dev
# Build
npm run build
# Run tests
npm testSecurity Considerations
All tools require appropriate authorization before use
Output files may contain sensitive data (tickets, hashes)
Credentials are not logged, but ticket data may be captured
Use in isolated test environments when possible
Follow responsible disclosure practices
License
MIT License - see LICENSE file for details.
Acknowledgments
GhostPack/Rubeus - The original Rubeus toolkit by harmj0y
Impacket - Python classes for network protocols by Fortra
Model Context Protocol - The MCP specification by Anthropic
Disclaimer
This tool is provided for educational and authorized security testing purposes only. The authors are not responsible for misuse or damage caused by this tool. Always obtain proper authorization before testing systems you do not own.
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/schwarztim/sec-rubeus-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server