AD Recon: Kerberos Username Bruteforce

In this post, we explore the exploitation technique known as the Kerberos pre-authentication brute-force attack. This attack takes advantage of Kerberos authentication responses to determine valid usernames and perform password bruteforcing.

The post outlines exploitation methods, and mitigation techniques, mapped to the MITRE ATT&CK framework for clarity. Detection mechanisms and actionable recommendations are also provided to help security professionals identify and defend against this prevalent threat.

Table of Contents

Kerberos Authentication Pre-auth Bruteforce Metasploit Nmap Kerbrute Rubeus

Detection & Mitigation

Kerberos Authentication

Kerberos is a widely used authentication protocol in Active Directory (AD) environments. It enables secure authentication using tickets instead of transmitting passwords in plaintext. The protocol consists of three key components:

Key Distribution Center (KDC) – Located on the Domain Controller (DC), responsible for issuing tickets.

Authentication Server (AS) – Handles initial authentication requests.

Ticket Granting Server (TGS) – Issues service tickets for access to specific resources.

The authentication process follows these steps:

A user requests authentication from the AS by sending an encrypted timestamp with their password. If valid, the AS returns a Ticket Granting Ticket (TGT). The user presents the TGT to the TGS when accessing resources. The TGS issues a Service Ticket, allowing access to the requested service.

Despite its security features, Kerberos can be exploited using brute-force techniques to obtain credentials and access sensitive information.

Pre-auth Bruteforce

Brute-forcing Kerberos is possible due to distinct server responses during authentication attempts. Attackers exploit these responses to enumerate valid usernames and crack passwords. Since Kerberos operates on port 88, attackers specifically target this port when performing brute-force attacks.

Username Enumeration via AS-REQ Responses

When a TGT request is made via an AS-REQ message, the Kerberos server responds in different ways:

Invalid Username: The server returns KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, indicating that the username does not exist. Valid Username without Pre-Authentication: The server may issue a TGT immediately in a AS-REP response, leading to AS-REP Roasting Valid Username with Pre-Authentication Required: The server returns KRB5KDC_ERR_PREAUTH_REQUIRED, indicating that the client must provide additional authentication data.

Metasploit

The auxiliary/scanner/kerberos/kerberos_login module can verify Kerberos credentials against a range of machines and report successful logins.

This module can identify the following information from the KDC:

Valid/Invalid accounts Locked/Disabled accounts Accounts with expired passwords, when the password matches AS-REP Roastable accounts

USER_FILE option is used to specify the file containing a list of user names to query the Domain Controller to identify if they exist in the target domain or not.

use auxiliary/scanner/kerberos/kerberos_login set rhosts 192.168.1.48 set domain ignite.local set user_file users.txt run

The gather/kerberos_enumusers module uses a custom wordlist to query a single Domain Controller and identify valid domain user accounts.

use auxiliary/gather/kerberos_enumusers set rhosts 192.168.1.48 set domain ignite.local set user_file users.txt run

Nmap

Nmap krb5-enum-users script Discovers valid usernames by brute force querying likely usernames against a Kerberos service.

krb5-enum-users.realm: this argument is required as it supplies the script with the Kerberos REALM against which to guess the user names.

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='ignite.local',userdb=users.txt 192.168.1.48

Kerbrute

Kerbrute is a tool used to enumerate valid Active directory user accounts that use Kerberos pre-authentication.

./kerbrute_linux_amd64 userenum --dc 192.168.1.48 -d ignite.local users.txt

Impacket

Impacket’s GetNPUsers script helps enumerate valid usernames and extract AS-REP hashes for offline cracking.

Impacket-GetNPUsers -dc-ip 192.168.1.48 ignite.local/ -userfile users.txt

Windows

Rubeus

The brute option in Rubeus can be used to perform a password bruteforce attack against all the existing user accounts in Active Directory. Many times, the same password is used with multiple accounts in real-life enterprise infrastructure. So, brute option can generate multiple TGTs in those accounts having the same password.

.\Rubeus.exe brute /passwords:password.txt /dc.ignite.local /outfile:ignite.txt

above command will produce the output in ignite.txt file.

Type .\ignite.txt

Kerberos is a powerful authentication protocol, but it can be exploited if misconfigured. By understanding the different brute-force techniques and using tools like Kerbrute, Impacket, Rubeus, and Metasploit, attackers can attempt to extract credentials. However, organizations can protect themselves by enforcing security best practices, monitoring logs, and implementing strict access controls.

Detection & Mitigation

Detection Techniques:

Monitor Event Logs: Event ID 4768 (TGT requests) Event ID 4769 (TGS requests) Event ID 4771 (Failed Kerberos pre-authentication attempts) Look for High-Frequency Requests: Multiple failed authentication attempts from the same IP. Multiple service ticket requests within a short period.

Mitigation Strategies:

Enforce Pre-Authentication: Prevent AS-REP attacks by requiring all users to authenticate before receiving a TGT. Enforce Strong Password Policies: Use complex passwords to resist brute-force attempts. Monitor for Anomalous Behavior: Detect brute-force attempts using SIEM tools. Use Account Lockout Policies: Limit failed login attempts to prevent password spraying. Limit Service Accounts with SPNs: Reduce exposure to Kerberoasting by restricting unnecessary SPN assignments.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is a completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here