Kerbrute

• Kerbrute can be a stealthier option for domain account enumeration.

• It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts

Cloning Kerbrute GitHub Repo

sudo git clone https://github.com/ropnop/kerbrute.git

Install

cd kerbrute

make help

• We can choose to compile just one binary or type make all and compile one each for use on Linux, Windows, and Mac systems (an x86 and x64 version for each).

sudo make all

• The newly created dist directory will contain our compiled binaries.

ls dist/

Testing the kerbrute_linux_amd64 Binary

/kerbrute_linux_amd64 

Adding the Tool to our Path

echo $PATH

/home/htb-student/.local/bin:/snap/bin:/usr/sandbox/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/share/games:/usr/local/sbin:/usr/sbin:/sbin:/snap/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home/htb-student/.dotnet/tools

Moving the Binary

Enumerating Users with Kerbrute

• look into statistically-likely-usernames for username list

  • linkedin2username

  • jsmith.txt is from this list

• Using Kerbrute for username enumeration will generate event ID 4768: A Kerberos authentication ticket (TGT) was requested

  • will be triggered if Kerberos event logging is enabled via Group Policy

Password Spraying Active Directory

• need valid_users.txt file

  • use Password Spraying - Making a Target User List ACTIVE Directory

Reference

• https://github.com/ropnop/kerbrute