In the previous article, we had explained Forge Kerberos  Ticket  “Domain Persistence: Golden Ticket Attack”  where have discussed how the Kerberos authentication process works and what its service component is. In this post, we are going to perform a Kerberos brute force attack on Port 88, which is used for the Kerberos service for enumerating valid username & password.

Table of Content

• Metasploit
• Nmap
• Rubeus
• Kerbrute

Metasploit

This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes the different responses returned by the service for valid and invalid users.

msf > use auxiliary/gather/kerberos_enumusers
msf auxiliary(gather/kerberos_enumusers) > set rhosts 192.168.1.105
msf auxiliary(gather/kerberos_enumusers) > set User_File /root/user.txt
msf auxiliary(gather/kerberos_enumusers) > set Domain ignite.local
msf auxiliary(gather/kerberos_enumusers) > exploit

According to this module, valid usernames will either receive the TGT in an AS-REP response or trigger the error KRB5KDC_ERR_PREAUTH_REQUIRED, showing that the user must perform pre-authentication. Additionally, this error confirms that the username account is present on the given host.

As result we found three users (Yashika, geet, aarti) are valid user to access Kerberos service.

Nmap

Additionally, this method discovers valid usernames by brute-force querying likely usernames against a Kerberos service. The krb5-enum-users.realm argument is essential because it provides the script with the Kerberos REALM required to guess the usernames effectively.

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='ignite.local',userdb=/root/user.txt 192.168.1.105

Similarly, nmap uses the same approach for enumerating Kerberos usernames.

Rubeus

Kerberos Brute Force Attack can be executed using Rubeus, a C# toolset for raw Kerberos interaction and abuses. This toolset draws heavily from Benjamin Delpy’s Kekeo project (licensed under CC BY-NC-SA 4.0) and Vincent LE TOUX’s MakeMeEnterpriseAdmin project (licensed under GPL v3.0). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization.

You can download it from here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

Now run the following and provide a password list along with domain name.

.\Rubeus.exe brute /passwords:password.txt /WIN-S0V7KMTVLD2.ignite.local /outfile:ignite.txt

password.txt: Password Dictionary

WIN-S0V7KMTVLD2.ignite.local: hostname.domain_name

outfile:ignite.txt: Output file

It will enumerate the valid username & password by trying user, password combination.

Kerbrute

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. Download it from here.

Similarly, kerbrute try to check valid username & password against Kerberos with the help of the following command.

python kerbrute.py -dc-ip 192.168.1.105 -domain ignite.local -users /root/user.txt -passwords /root/pass.txt -outputfile ignite.txt

Conclusion

In conclusion, the Kerberos Brute Force Attack remains a common technique for cracking user credentials in Active Directory environments. By trying to guess or decrypt Kerberos tickets, attackers can gain unauthorized access to network resources and escalate their privileges. Understanding and defending against this attack is critical for keeping a secure enterprise environment.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Related posts:

Diamond Ticket Attack: Abusing kerberos Trust Sapphire Ticket Attack: Abusing Kerberos Trust