Kerbrute

Kerbrute can be a stealthier option for domain account enumeration.
It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts

Cloning Kerbrute GitHub Repo

sudo git clone https://github.com/ropnop/kerbrute.git

Install

cd kerbrute

make help

We can choose to compile just one binary or type make all and compile one each for use on Linux, Windows, and Mac systems (an x86 and x64 version for each).

sudo make all

The newly created dist directory will contain our compiled binaries.

ls dist/

Testing the kerbrute_linux_amd64 Binary

/kerbrute_linux_amd64

Adding the Tool to our Path

echo $PATH

/home/htb-student/.local/bin:/snap/bin:/usr/sandbox/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/share/games:/usr/local/sbin:/usr/sbin:/sbin:/snap/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home/htb-student/.dotnet/tools

Moving the Binary

sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

Enumerating Users with Kerbrute

look into statistically-likely-usernames for username list
- linkedin2username
- jsmith.txt is from this list

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt

Using Kerbrute for username enumeration will generate event ID 4768: A Kerberos authentication ticket (TGT) was requested
- will be triggered if Kerberos event logging is enabled via Group Policy

Password Spraying Active Directory

need valid_users.txt file
- use Password Spraying - Making a Target User List ACTIVE Directory

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

Reference

https://github.com/ropnop/kerbrute

PreviousPassword Spraying - Making a Target User List ACTIVE Directory Nextstatistically-likely-usernames

Last updated 1 year ago