Rubeus vs Whisker
GitHub Stats
About Rubeus
Rubeus is a C# toolset for raw Kerberos interaction and abuses. It's the go-to tool for Kerberos-based attacks in Active Directory environments. Rubeus supports AS-REP roasting, Kerberoasting, unconstrained/constrained/resource-based constrained delegation abuse, S4U ticket requests, ticket extraction and renewal, and golden/silver ticket creation. It can be loaded reflectively in memory, making it a staple of modern AD attack chains.
About Whisker
Whisker is a C# tool for performing the Shadow Credentials attack against Active Directory. The attack exploits the msDS-KeyCredentialLink attribute introduced for Windows Hello for Business, which allows certificate-based authentication via Kerberos PKINIT. By adding a rogue Key Credential entry to a target user or computer's msDS-KeyCredentialLink attribute (which requires write access to the attribute), an attacker can then authenticate as that principal using the corresponding private key, without knowing or changing their password. This is stealthier than traditional credential attacks because it doesn't modify the password or trigger password change events. Whisker generates the key pair, adds the Key Credential to the target, and can be combined with Rubeus to request TGTs using the shadow credential. It's particularly effective when you have GenericWrite or GenericAll permissions over user or computer objects.
Platform Support
Tags
Shared
Rubeus only
Whisker only