# User Enum and Brute Force ## **User Enumeration and Brute Force** ### Overview In first place, due to Kerberos is an authentication protocol, it is possible to perform brute-force attacks against it. Moreover, brute-forcing Kerberos has many advantages over brute-forcing other authentication methods, like the following: * No domain account is needed to conduct the attack, just connectivity to the KDC. * Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771). * Kerberos indicates, even if the password is wrong, whether the username is correct or not. This is a huge advantage in case of performing this sort of technique without knowing any username. * In Kerberos brute-forcing it is also possible to discover user accounts without pre-authentication required, which can be useful to perform an ASREPRoast attack. However, by carrying out a brute-force attack it is also possible to **block user accounts**. Thus, this technique should be used carefully. ### **User Enumeration Execution** With nmap: ``` nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP] ``` With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute): ``` python kerbrute.py userenum -d test.local usernames.txt ``` ### **Brute-force Execution** With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute): ``` python kerbrute.py -domain -users -passwords -outputfile ``` With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: ``` # with a list of users .\\Rubeus.exe brute /users: /passwords: /domain: /outfile: # check passwords for all users in current domain .\\Rubeus.exe brute /passwords: /outfile: ``` Resources