User Enum and Brute Force
User Enumeration and Brute Force
Overview
In first place, due to Kerberos is an authentication protocol, it is possible to perform brute-force attacks against it. Moreover, brute-forcing Kerberos has many advantages over brute-forcing other authentication methods, like the following:
No domain account is needed to conduct the attack, just connectivity to the KDC.
Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
Kerberos indicates, even if the password is wrong, whether the username is correct or not. This is a huge advantage in case of performing this sort of technique without knowing any username.
In Kerberos brute-forcing it is also possible to discover user accounts without pre-authentication required, which can be useful to perform an ASREPRoast attack.
However, by carrying out a brute-force attack it is also possible to block user accounts. Thus, this technique should be used carefully.
User Enumeration Execution
With nmap:
With kerbrute.py:
Brute-force Execution
With kerbrute.py:
With Rubeus version with brute module:
Resources
https://www.attackdebris.com/?p=311
https://www.tarlogic.com/blog/how-to-attack-kerberos/#Kerberos_brute-force
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a#bruteforcing
Last updated