Kerbrute is a tool used to enumerate valid Active directory user accounts that use Kerberos pre-authentication. Also, this tool can be used for password attacks such as password bruteforce, username enumeration, password spray etc. This tool is being used for many years by penetration testers during internal penetration testing engagements. This tool is originally written by Ronnie Flathers (ropnop) with contributor Alex Flores.
The Kerberos service runs on its default port which is 88 in a domain controller system. This service comes in windows and the Linux system as well where it is used to implement authentication processes more securely in an Active Directory environment. For more information about Kerberos authentication process and service principal name (SPN) please consider visiting the below link:
Kerbrute can be downloaded from its official github repository release page. It was last modified in December 2019. The source code of the tool is also available, and it is also available for windows systems and other Linux architecture. For simplicity, we will download compiled kerbrute_linux_amd64 for the kali Linux which will be going to be an attacking system for the demonstration. The tool can be downloaded from the link given below.
Once we download the tool in the kali machine, we can list the available options and features by executing the following command:
In the picture below, we can see that tools can perform various tasks such as bruteforce, bruteuser, password spray, userenum and version detection. Moreover, there are some flags available too which can be very handy during penetration testing. During the internal assessment, many times we encounter security features and the password policy so increasing and decreasing threads can help us to make password attacks stealthier. We highly recommend using all available flags come with kerbrute to get practical experience and analyse the results.
During the internal penetration testing engagements especially in the Active Directory environment, our initial goal is to find valid users. Once we find potential users from the company website or any other sort of misconfiguration then we can verify those users if they have valid accounts or not using kerbrute. To do that, we will make a list of potential users that we obtained from OSINT or any other way. For the demonstration, we have created a user’s list and saved it as users.txt.
Then we provided users list and selected the userenum option. Next, we provided the domain controller IP address and domain name which is ignite.local in our case. The tool will test against each user account and verify if those users exist in the domain and using Kerberos pre-authentication. In the picture below we can see that kapil, aarti, shreya, raj and pawan appeared as valid users using Kerberos authentication. Here we in the position where we can think about various Kerberos attack such as SPN and Kerberos bruteforce etc. To reproduce the proof of concept, feel free to use the below command.
Suppose we have obtained a password ([email protected]) during the enumeration phase that can be anything such as OSNIT leaked password, service misconfiguration, smb share, ftp etc but we do not know the real owner of the obtained password. In the username enumeration phase, we found five valid users now we can test obtained passwords with their accounts. Password spray is like password bruteforce where we test each password against single users but in the password spray, we use a single password and test it against all valid accounts. To do that, we created a new users list and saved it as users.txt. Then we used passwordspray option this time and provided the domain controller IP address and domain name along with a valid users list and obtained the password. In the picture below, we can see that three users’ accounts matched the obtained password. Now we can try log in via RDP, winrm and smb service. To reproduce the proof of concept, please consider following the below command.
Next, we will try password bruteforce using potential passwords against a single user. In password bruteforce, we test all potential passwords against a single user. Here we are using a common password list where you can try with different password lists to get the expected result. Password mutation or custom wordlist can be fruitful whenever we come across internal penetration testing. We highly recommend visiting our article to get familiar yourself with password mutation using crunch utility by visiting the below link.
Firstly, we will create a potential password to perform a bruteforce attack against the domain.
We created a password list and saved it as pass.txt Then we used the bruteuser option this time and provided the domain controller IP address, domain name and potential password list and username ( aarti). The tool will show + sign when it triggers with the valid password. If you are in a real-world engagement, then be careful about the account lockout policy because it may affect our client’s business. It is very common to experience this problem during penetration testing and you might need to wait for 30 minutes to one hour to perform the attack again or sometime the system administrator needs to unlock it manually. Usually, it locks out the account after 5 attempts, but a few companies set it at 3 attempts as well. In the picture, we can see that user aarti’s password matched one password from the password list we provided. Now, we can use valid credentials to log in via RDP, psexec and evil-winrm. To reproduce the proof of concept then follow the below command.
In this example, we will create a combined username and password list and attempt to verify if they matched. To do that, we created a username and password list and saved it as userpass.txt and attempt to verify using pipe (|) along with the ( – ) flag. Here we have provided userpass list, domain controller IP address and the domain name as we did in the earlier attacks. Execution of the command verified two user accounts. To reproduce the proof of concept then feel free to repeat the process with the below command.
Saving output is always healthy whether we are solving CTF or in real-world engagements. If we save the output, then we do not have to run the command again and again to check the results. Also, it is beneficial, especially in a real-world project where we have to provide output to our clients in the penetration testing reports. We can save the output of our findings using the -o flag providing the output file name. In this example, we have saved the output as result.txt. To reproduce the proof of concept, follow the below command where we append the -o flag in the previously used command.
We can also use verbose mode using the -v flag in our command. Verbose features give us insight into the tool with each user account. Here in the below example, we can see that when kerbrute is unable to verify the Kerberos account, it is showing user does not exist. In this example, we are attempting to perform username enumeration by using the same command we used during the username enumeration phase by appending -v flag to get a verbose result. To reproduce the proof of concept, feel free to test the below command.
There are multiple factors and ways which can help to harden the system.
We have explored the kerbrute tool briefly and its special features which can allow an attacker to gain access to the internal network. We have explored multiple techniques to exploit the internal network using the kerbrute tool where we performed password spray, password bruteforce and userenum etc. Lastly, we also provided the steps to mitigate these attacks. I hope you have learned something new today. Happy hacking!
Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and loves to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: Linkedin and Twitter