Scribd
Upload
19 views

? Active Directory Penetration Testing Training (Online)

The document discusses the Kerberos pre-authentication brute-force attack, detailing how attackers exploit Kerberos authentication responses to identify valid usernames and perform password cracking. It outlines various tools and techniques for exploiting and mitigating these attacks, including Metasploit, Nmap, Kerbrute, and Impacket, while also providing detection and mitigation strategies. The document emphasizes the importance of enforcing security best practices to protect against these vulnerabilities in Active Directory environments.

Uploaded by

cybaxpat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

? Active Directory Penetration Testing Training (Online)

The document discusses the Kerberos pre-authentication brute-force attack, detailing how attackers exploit Kerberos authentication responses to identify valid usernames and perform password cracking. It outlines various tools and techniques for exploiting and mitigating these attacks, including Metasploit, Nmap, Kerbrute, and Impacket, while also providing detection and mitigation strategies. The document emphasizes the importance of enforcing security best practices to protect against these vulnerabilities in Active Directory environments.

Uploaded by

cybaxpat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

www.ignitetechnologies.

in 1
Contents
Kerberos Authentication ......................................................................................................................... 3
Pre-auth Bruteforce ................................................................................................................................ 3
Username Enumeration via AS-REQ Responses...................................................................................... 3
Metasploit ............................................................................................................................................... 4
Nmap ....................................................................................................................................................... 5
Kerbrute .................................................................................................................................................. 5
Impacket.................................................................................................................................................. 6
Windows ................................................................................................................................................. 6
Detection & Mitigation ........................................................................................................................... 7

www.ignitetechnologies.in 2
In this post, we explore the exploitation technique known as the Kerberos pre-authentication brute-
force attack. This attack takes advantage of Kerberos authentication responses to determine valid
usernames and perform password bruteforcing.

The post outlines exploitation methods, and mitigation techniques, mapped to the MITRE ATT&CK
framework for clarity. Detection mechanisms and actionable recommendations are also provided to
help security professionals identify and defend against this prevalent threat.

Kerberos Authentication
Kerberos is a widely used authentication protocol in Active Directory (AD) environments. It enables
secure authentication using tickets instead of transmitting passwords in plaintext. The protocol
consists of three key components:

Key Distribution Center (KDC) – Located on the Domain Controller (DC), responsible for issuing
tickets.

Authentication Server (AS) – Handles initial authentication requests.

Ticket Granting Server (TGS) – Issues service tickets for access to specific resources.

The authentication process follows these steps:

1. A user requests authentication from the AS by sending an encrypted timestamp with their
password.

2. If valid, the AS returns a Ticket Granting Ticket (TGT).

3. The user presents the TGT to the TGS when accessing resources.

4. The TGS issues a Service Ticket, allowing access to the requested service.

Despite its security features, Kerberos can be exploited using brute-force techniques to obtain
credentials and access sensitive information.

Pre-auth Bruteforce
Brute-forcing Kerberos is possible due to distinct server responses during authentication attempts.
Attackers exploit these responses to enumerate valid usernames and crack passwords. Since
Kerberos operates on port 88, attackers specifically target this port when performing brute-force
attacks.

Username Enumeration via AS-REQ Responses


When a TGT request is made via an AS-REQ message, the Kerberos server responds in different ways:

• Invalid Username: The server returns KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, indicating


that the username does not exist.
• Valid Username without Pre-Authentication: The server may issue a TGT immediately in a
AS-REP response, leading to AS-REP Roasting attack.
• Valid Username with Pre-Authentication Required: The server returns
KRB5KDC_ERR_PREAUTH_REQUIRED, indicating that the client must provide additional
authentication data.

www.ignitetechnologies.in 3
Metasploit
The auxiliary/scanner/kerberos/kerberos_login module can verify Kerberos credentials against a
range of machines and report successful logins.

This module can identify the following information from the KDC:

• Valid/Invalid accounts
• Locked/Disabled accounts
• Accounts with expired passwords, when the password matches
• AS-REP Roastable accounts

USER_FILE option is used to specify the file containing a list of user names to query the Domain
Controller to identify if they exist in the target domain or not.

use auxiliary/scanner/kerberos/kerberos_login
set rhosts 192.168.1.48
set domain ignite.local
set user_file users.txt
run

The gather/kerberos_enumusers module uses a custom wordlist to query a single Domain Controller
and identify valid domain user accounts.

use auxiliary/gather/kerberos_enumusers
set rhosts 192.168.1.48
set domain ignite.local
set user_file users.txt
run

www.ignitetechnologies.in 4
Nmap
Nmap krb5-enum-users script Discovers valid usernames by brute force querying likely usernames
against a Kerberos service.

krb5-enum-users.realm: this argument is required as it supplies the script with the Kerberos REALM
against which to guess the user names.

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-


users.realm='ignite.local',userdb=users.txt 192.168.1.48

Kerbrute
Kerbrute is a tool used to enumerate valid Active directory user accounts that use Kerberos pre-
authentication.

./kerbrute_linux_amd64 userenum --dc 192.168.1.48 -d ignite.local users.txt

www.ignitetechnologies.in 5
Impacket
Impacket’s GetNPUsers script helps enumerate valid usernames and extract AS-REP hashes for offline
cracking.

Impacket-GetNPUsers -dc-ip 192.168.1.48 ignite.local/ -userfile users.txt

Windows
Rubeus
The brute option in Rubeus can be used to perform a password bruteforce attack against all the
existing user accounts in Active Directory. Many times, the same password is used with multiple
accounts in real-life enterprise infrastructure. So, brute option can generate multiple TGTs in those
accounts having the same password.

.\Rubeus.exe brute /passwords:password.txt /dc.ignite.local /outfile:ignite.txt

www.ignitetechnologies.in 6
Above command will produce the output in ignite.txt file.

Type .\ignite.txt

Kerberos is a powerful authentication protocol, but it can be exploited if misconfigured. By


understanding the different brute-force techniques and using tools like Kerbrute, Impacket, Rubeus,
and Metasploit, attackers can attempt to extract credentials. However, organizations can protect
themselves by enforcing security best practices, monitoring logs, and implementing strict access
controls.

Detection & Mitigation


Detection Techniques:

1. Monitor Event Logs:

www.ignitetechnologies.in 7
o Event ID 4768 (TGT requests)

o Event ID 4769 (TGS requests)

o Event ID 4771 (Failed Kerberos pre-authentication attempts)

2. Look for High-Frequency Requests:

o Multiple failed authentication attempts from the same IP.

o Multiple service ticket requests within a short period.

Mitigation Strategies:

• Enforce Pre-Authentication: Prevent AS-REP attacks by requiring all users to authenticate


before receiving a TGT.

• Enforce Strong Password Policies: Use complex passwords to resist brute-force attempts.

• Monitor for Anomalous Behavior: Detect brute-force attempts using SIEM tools.

• Use Account Lockout Policies: Limit failed login attempts to prevent password spraying.

• Limit Service Accounts with SPNs: Reduce exposure to Kerberoasting by restricting


unnecessary SPN assignments.

www.ignitetechnologies.in 8

You might also like