🚩
Cyber Explained
  • WHOAMI
  • Technologies
    • Docker
      • Setup Docker
      • Terminology
      • Docker Hub
      • Docker Images
      • Docker Containers
      • Working with Containers
      • Virtualization vs Containerization
      • Nutshell
      • Troubleshoot
    • Android Application
      • Application File Structure
      • Layout and Resources for UI
      • Activities
      • Intents
      • Activity lifecycle and state
      • Implicit intents
    • Active Directory
      • Attacking Active Directory: 0 to 0.9
      • Resources
    • Kerberos
  • RED TEAMING
    • Attacking Kerberos
      • User Enum and Brute Force
      • AS-REP Roasting
      • Kerberoasting
    • MITRE ATT&CK
    • Resources
  • PenTesting
    • Android Pentesting
      • Re-Build App
      • Using Frida on Android without root
    • Web Pentesting
      • XSS
      • SQLi
      • Authentication Vulnerabilities
      • Session Security
      • CSRF
      • Path Traversal
      • File Inclusion
      • Business Logic Vulnerabilities
      • HTTP Host header attacks
      • SSRF
      • HTTP Request Smuggling
      • OS command injection
      • Access control vulnerabilities
    • OWASP Testing Guide
      • 1.0 Information Gathering
      • 2.0 Configuration and Deployment Management Testing
      • 3.0 Identity Management Testing
      • 4.0 Authentication Testing
      • 5.0 Authorization Testing
      • 6.0 Session Management Testing
      • 7.0 Input Validation Testing
      • 8.0 Testing for Error Handling
      • 9.0 Testing for Weak Cryptography
      • 10.0 Business Logic Testing
      • 11.0 Client-side Testing
      • 12.0 API Testing
  • Programming
    • Python
      • Hello World !
        • Variables and Data Types
        • Lists, Tuple, Sets and Dictionaries
        • If Statement
        • While Loops
        • For Loops
        • Functions
        • Classes and Objects
        • Creating Modules
        • Creating Packages
        • Exception Handling
      • System Pogramming
        • File Handling
        • OS Interaction with OS Library
        • Multithreading
        • Signals
        • Subprocess
        • Code Examples
      • Network Programming
        • Socket Programming
        • Packet Injection with Raw Sockets
        • SocketServer Framework
        • Packet Sniffing with Scapy
        • Creating a Web Server
        • Packet Injection with Scapy
        • Packet Sniffing with Raw Sockets
        • Programming with Scapy
  • Operating Systems
    • Windows*
    • Linux
      • System Structure
      • VI Text Editor
      • Working with the Linux Shell
      • Managing Users and Groups
      • Managing Files and Directories
  • Networks
    • Page 1
Powered by GitBook
On this page
  • User Enumeration and Brute Force
  • Overview
  • User Enumeration Execution
  • Brute-force Execution
  1. RED TEAMING
  2. Attacking Kerberos

User Enum and Brute Force

PreviousAttacking KerberosNextAS-REP Roasting

Last updated 2 years ago

User Enumeration and Brute Force

Overview

In first place, due to Kerberos is an authentication protocol, it is possible to perform brute-force attacks against it. Moreover, brute-forcing Kerberos has many advantages over brute-forcing other authentication methods, like the following:

  • No domain account is needed to conduct the attack, just connectivity to the KDC.

  • Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).

  • Kerberos indicates, even if the password is wrong, whether the username is correct or not. This is a huge advantage in case of performing this sort of technique without knowing any username.

  • In Kerberos brute-forcing it is also possible to discover user accounts without pre-authentication required, which can be useful to perform an ASREPRoast attack.

However, by carrying out a brute-force attack it is also possible to block user accounts. Thus, this technique should be used carefully.

User Enumeration Execution

With nmap:

nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]

With :

python kerbrute.py userenum -d test.local usernames.txt

Brute-force Execution

With :

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
# with a list of users
.\\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

Resources

With version with brute module:

kerbrute.py
kerbrute.py
Rubeus
https://www.attackdebris.com/?p=311
https://www.tarlogic.com/blog/how-to-attack-kerberos/#Kerberos_brute-force
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a#bruteforcing