Hi everyone, welcome to Pentestguy. In this post, we will focus on a detailed guide to kerbrute and explore how to use the different options available in kerbrute effectively. If you’re looking for a detailed guide to kerbrute, this post will walk you through the key features and how to use them efficiently.
Follow the other article if you want to set up an active directory lab for pentesting – https://pentestguy.com/active-directory-pentesting-lab-setup/
What is Kerbrute?
Kerbrute is a tool written in the go language that helps enumerate and bruteforce valid Active Directory accounts through Kerberos Pre-Authentication. Kerbrute has four main commands which are given below –
bruteuser – Bruteforce a single user’s password from a wordlist
bruteforce – Read username: password combos from a file or stdin and test them
passwordspray – Test a single password against a list of users
userenum – Enumerate valid domain usernames via Kerberos
What is Kerberos Authentication?
Kerberos is a computer network authentication protocol that uses tickets to enable nodes communicating over an insecure network to securely prove their identities to one another. In Windows 2000 and later versions, Microsoft employs Kerberos as the default authentication protocol, which operates on port 88 on the domain controller.
Download Kerbrute
Kerbrute is available on the GitHub, from where we can download the source code or already compiled binary for Linux, Windows, and Drawin as well. In the below image, I am using Ubuntu that’s why I downloaded Linux. Make sure to provide the executable permission to the binary.
Download link – https://github.com/ropnop/kerbrute/releases/tag/v1.0.3
Now, let’s see the main commands of the kerbrute.
User enumeration
Kerbrute provide option for user enumeration or we can say finding the valid domain users, by using this information tester can perform different attacks like passwordspray or bruteforce. In the below image we create a user list for the demonstration. You can use any username list which is available on the internet or create your own list according to the target.
In the below image, using the above username list with kerbrute for user enumeration/ finding valid users. Where we are providing domain controller IP address along with the domain name.
./kerbrute_linux_amd64 userenum --dc 192.168.1.100 -d pentestguy.local usernames.txt
PasswordSpray
The second option that kerbrute provides is passwordspray. It means we are spraying/testing the single password against the user list/multiple users.
In the below image, use the same username list for the password spray option with Changeme123! password value to check against the usernames present in the list.
./kerbrute_linux_amd64 passwordspray --dc 192.168.1.100 -d pentestguy.local usernames.txt Changeme123!
Bruteuser (Single User)
Kerbrute provides a bruteuser option which is nothing but a brute force with a wordlist against a specific targeted user. Where an attacker/tester will get the valid password if the user uses a common password present in the wordlist.
In the image below, provided passwords.txt which contains a common password list that targets the username dorena.genia
./kerbrute_linux_amd64 bruteuser --dc 192.168.1.100 -d pentestguy.local passwords.txt dorena.genia
BruteForce
Kerbrute also provides a separate option for brute force, where the attacker/tester can provide a combined list of usernames and passwords to check whether we can find some valid login from the list or not.
In the image below, create a text file that includes usernames and passwords, which we can use for the brute force option as input.
In the image below, parsing the combination of both usernames and passwords text file to kerbrute to perform brute force attack.
cat userpass-combo.txt | ./kerbrute_linux_amd64 --dc 192.168.1.100 -d pentestguy.local bruteforce -
That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide your valuable comments and let us know if you have any suggestions. Now you can also collaborate with us please check our collaboration page, thank you!
