kerbrute

Kerbrute is an open-source command-line tool made for attacking Active Directory (AD) domains with the Kerberos protocol. Red teams, which are ethical hackers simulating attacks, and malicious actors often use it.

Here’s a summary of what Kerbrute does and why it's important:

How Kerbrute Works

Kerbrute mainly takes advantage of the Kerberos pre-authentication feature. Kerberos is an authentication protocol that uses "tickets" to verify user identities. Normally, a user must confirm their identity, such as by providing a password, before receiving a ticket-granting ticket (TGT).

Kerbrute exploits the way the Kerberos service, known as the Key Distribution Center (KDC), responds to pre-authentication failures. If a username exists and the pre-authentication fails because of an incorrect password, the KDC often sends a specific error message. Kerbrute interprets this error to check if a username is valid, even without the correct password.

Key Capabilities of Kerbrute

User Enumeration: One of its main functions is to quickly and discreetly list valid usernames in an Active Directory domain. This is especially helpful when attacking from a machine not part of the domain, as finding valid usernames can be difficult in that case.

Password Spraying: After identifying valid usernames, Kerbrute can perform password spraying attacks. This means trying a few common passwords against a large list of usernames. This method often avoids account lockout policies that might trigger traditional brute-force attacks, where many passwords are tested against a single username.

Brute-Force Attacks: Although less common due to lockout policies, Kerbrute can also be used for standard brute-force attacks on individual accounts.

Why Kerbrute is a Concern for Defenders

Stealthy Reconnaissance: Because it mainly uses Kerberos error messages and does not create typical failed logon events, such as Event ID 4625 for NTLM-based attacks, Kerbrute can be hard for many traditional security monitoring systems to spot.

Bypassing Lockout Policies: Its password spraying ability can help attackers avoid account lockout mechanisms. This allows them to try many credentials without locking accounts.

Precursor to Further Attacks: Finding valid accounts is often the first step in more complicated attacks, like credential stuffing, pass-the-ticket, or Kerberoasting.

Detection and Mitigation

Detecting Kerbrute activity often requires:

Monitoring Kerberos Logs: Check for specific Kerberos error codes that show pre-authentication failures, like Event ID 4768 or 4771, in addition to a high volume of requests from a single source.

Command Line Auditing: Turning on command line auditing on endpoints can help catch the use of "kerbrute" in process creation events.

Sysmon: Using and setting up Sysmon to capture process creation and termination events, as well as network connections.

Behavioral Analytics: Security Information and Event Management (SIEM) systems with behavioral analytics can detect suspicious patterns that may indicate Kerbrute activity, even if direct command-line evidence is missing.

Mitigating the risks involves:

Strong Password Policies: Implementing complex and unique passwords makes password spraying less effective.

Multi-Factor Authentication (MFA): Adding MFA greatly reduces the risk of successful attacks, even if credentials are leaked.

Account Lockout Policies: Although Kerbrute aims to circumvent them, well-configured lockout policies can still deter some attacks.

Network Segmentation: Limiting access to domain controllers and critical systems helps improve security.

Regular Security Audits and Penetration Testing: Testing your defenses against tools like Kerbrute can help reveal vulnerabilities.

In short, Kerbrute is a powerful tool for testing or exploiting weaknesses in Active Directory related to Kerberos authentication. Understanding how it works is key for strong cybersecurity defense.

Install: (Go)

go get github.com/ropnop/kerbrute

Install: (Make)

git clone https://github.com/ropnop/kerbrute
cd kerbrute
make all

Usage:

# User Enumeration
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt

# Password Spray
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123

# Brute User
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman

# Brute Force
./kerbrute -d lab.ropnop.com bruteforce -