ropnop / kerbrute Goto Github PK

kerbrute userenum --dc=192.168.10.2 -d=tester.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -v | grep 'VALID'

[-] Error: [Error Connection error (192.168.10.2:88)] [Error110] Connection timed out, ensure /etc/resolv.conf points to correct DC

Hey,

i just spend way too much time getting some creds because of this lil error (which is only shown with -v).

2020/04/18 14:57:24 >  [!] XXXXX:XXXXX - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (37) KRB_AP_ERR_SKEW Clock skew too great

As far as i know, this error response only actually happens with a correct password. I think either showing the error (without -v so you can see it in all the noise) or just classifying it as a valid password would be very preferable.

Thancc

I noticed that a lot of accounts are reported as locked out, which isn't really possible with a lockout duration of 30 minutes. I checked a few accounts and noticed that they have expired months or years ago. This makes the use of --safe pretty pointless. I guess the Kerberos error code ERR_CLIENT_REVOKED doesn't really tell us why the credentials have been revoked, so there is not much that can be done about this. But it could be mentioned in the console output that account isn't necessarily locked, but could also be expired (or possibly disabled?).

I have kali installed on UTM kali version is
─$ uname -amr
Linux kali 5.16.0-kali1-arm64 #1 SMP Debian 5.16.7-2kali1 (2022-02-10) aarch64 GNU/Linux

1.When running amd based elf file it throws error.

┌──(kali㉿kali)-[~/Downloads/tools/kerbrute]
└─$ ./kerbrute_linux_amd64
zsh: exec format error: ./kerbrute_linux_amd64

2. When running kerbrute.py its running fine but options like userenum doest seems to be in list.

python3 kerbrute.py -h
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

usage: kerbrute.py [-h] [-debug] (-user USER | -users USERS) [-password PASSWORD | -passwords PASSWORDS] -domain DOMAIN
[-dc-ip <ip_address>] [-threads THREADS] [-outputfile OUTPUTFILE] [-outputusers OUTPUTUSERS] [-no-save-ticket]

options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-user USER User to perform bruteforcing
-users USERS File with user per line
-password PASSWORD Password to perform bruteforcing
-passwords PASSWORDS File with password per line
-domain DOMAIN Domain to perform bruteforcing
-dc-ip <ip_address> IP Address of the domain controller
-threads THREADS Number of threads to perform bruteforcing. Default = 1
-outputfile OUTPUTFILE
File to save discovered user:password
-outputusers OUTPUTUSERS
File to save discovered users
-no-save-ticket Do not save retrieved TGTs with correct credentials

Please help this tool is very essential for me how can i make kerbrute_amd_64 work in my arm based kali

or is there any binary available for arm.

Helllo,

A small error concerning the redirection of "release" in the installation section: which redirects to https://github.com/ropnop/kerbrute/releases/tag/latest which gives a 404 error.
Wouldn't the functional link be: https://github.com/ropnop/kerbrute

Cordialement,

Not sure why this is throwing me an error

I've got a Mac M1 so could we get an ARM version of this?

Pulling the latest kerbrute version (untagged):
./kerbrute passwordspray --dc -d -output Summer2020.txt valid.txt Summer2020

Error:
You must specify a password to spray with, or --user-as-pass

Every onsite pentest I have faced so far, at least a couple of users had been set with username=password.
I think it could be helpful to add to the bruteuser module some kind of username=password.

Hi, i tested this tool against a Linux DC running Kerberos and OpenLDAP ( https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend ) and noticed that all attempts failed due to the realm getting uppercased here from the domain name. While the Microsoft implementation is case insensitive (as all MS things :D), the Linux one is definitely case sensitive, meaning that a -d example.com argument will result in EXAMPLE.COM, which fails.

I think that uppercasing can just be removed, in which case it'll work for both implementation (and the user can just pass whatever case they want).

It would be nice to have the ability to spray user accounts with NTLM Hashes. The two main use cases I imagine for this is:

• Pulling an NTLM Hash off a local workstation, then spraying AD to look for password re-use
• Testing passwords from domain controller backups (old copies of NTDS.DIT).

Currently, this can be done with https://github.com/3gstudent/pyKerbrute, but is an extremely hacky solution using Python2.

Hi!

I'm walking about the attacktive directory room on THM, and in the section about kerbrute, I'm getting these outputs:

root@ip-[redacted]:~# sudo ./kerbrute userenum -v --dc spookysec.local -d spookysec.local userlist.txt -t 10

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/04/21 - Ronnie Flathers @ropnop

2021/12/04 20:06:34 >  Using KDC(s):
2021/12/04 20:06:34 >  	spookysec.local:88

2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated

I've had this first come up on the AttackBox and was able to replicate on a Kali machine.

I don't know if that's on your end, but good luck!

hey there,
first of all, thanks for this great tool
I'm a red team guy and I use this tool to measure the blueteam response.
I wonder if it would be possible to add decoy mode, in other words, send spoofed ip requests like nmap does.

Thanks!

Please enable support for ARM releases

Hi, i have an issue running kerbrute, here is my output

└─$ ./kerbrute userenum --dc 10.10.190.154 -d spookysec.local ~/userlist.txt

__             __               __     

/ /_____ / / _______ / /
/ //_/ _ / / __ / / / / / __/ _
/ ,< / __/ / / // / / / // / // __/
//||_// /.// _,/_/___/

Version: v1.0.0 (191510e) - 03/16/23 - Ronnie Flathers @ropnop

2023/03/16 13:52:24 > Using KDC(s):
2023/03/16 13:52:24 > 10.10.190.154:88

2023/03/16 13:52:24 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 24 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffd2e0162a6, 0xf, 0xc0000c0500, 0xf, 0xc0001da540, 0xc0000be100, 0x80, 0xc00013a000, 0x0, 0x0, ...)
/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc0000c81c0, 0xc0000154b0, 0x9)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc0000c81c0, 0xc000266000, 0xc0000c0c90)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

When using the following syntax: ./kerbrute userenum -dc IPADDR /path/to/text/file

I'm receiving the error mentioned in the title. Did some googling and I can't seem to find anything to resolve what might be causing this problem. Additionally no one has raised an issue related to it yet.

Someone on Twitter mentioned that kerbrute doesn't work with proxychains. Would be cool to add a proxy option to kerbrute (not sure how well it would, but worth trying)

Hello. I tried making all but I got this message;
What can I do for this problem?
Thanks

@kali]─[/opt/kerbrute]
└──╼ $make all
Done.
Building for windows amd64..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for windows 386..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for linux amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for linux 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for mac amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for mac 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.

I know this error was posted before but i can't seem to figure out how to fix it.
When trying to userenum (I'm doing the Attacking Kerberos Room on THM atm) it doesn't work so I tried -v to see what was going on.
For every single user checked it gave me this error message: "[Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated"
I don't know how to fix it.
Here might be some steps on how to replicate it (I'm using a Kali Linux VM):
Download kerbrute_linux_amd64
chmod +x kerbrute_linux_amd64
./kerbrute_linux_amd64 userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt

Edit: Only workaround i found was editing /etc/hosts with "ip CONTROLLER.local"

Hi,

When using this tool I noticed that the badPwdCount counter increases by 2 on each password spray attempt against a user. Could you please confirm if this is a bug?

I've attached a screenshot which compares the results to cme.

sorry misunderstanding

Extend the safe mode in a new semi-safe mode to abort after N account lockouts. Essentially, don't abort after the first lockout (probably not our fault), but instead after some user supplied number (probably our fault).

This is primarily for password sprays, but couldn't hurt to have globally.

Hello,

when I run kerbrute userenum I have this error:

kerbrute userenum   -domain domain1.local -dc DC.domain1.local -users /usr/share/wordlists/kerberos-A-Z.Surnames.txt

kerbrute: error: unrecognized arguments: userenum

I don't understand this error, Can anyone help me ?

A greeting and thanks

I think this would be a good feature to show users that don't have pre-authentication required and are vulnerable to AS-REP Roasting attacks. Great project anyway

I have a text file with usernames. I supply kerbrute with the usernames and kerbrute will run through a portion and then stop. why is this?
ex - 100 usernames
only 10 usernames are run

Ignore me I didnt read closed issues

Hello,
When I use the module userenum, an error is raised when it tries a login with the flag Do not require Kerberos preauthentication set.

Example with only one account with the flag within the list

# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop

2019/03/24 18:32:04 >  Using KDC(s):
2019/03/24 18:32:04 >  	172.16.0.1:88

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 15 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffc3a555751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
	/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016d98, 0x3)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
	/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

Example with a mixed list (here two accounts)

# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxxx.org user 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop

2019/03/24 17:47:58 >  Using KDC(s):
2019/03/24 17:47:58 >  	172.16.0.1:88

2019/03/24 17:47:58 >  [+] VALID USERNAME:	 [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 9 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffeea75e751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
	/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016db0, 0x3)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
	/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

As you can see, the module works perfectly against "normal" accounts but not with a Do not require Kerberos preauthentication one.

Tested with the release version of Kerbrute against Windows Server 2012R2

🌻

[email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated

Receiving the following error on some specific accounts when password spraying - believe this may point towards some protection in client environment, but haven't yet confirmed.

[Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type

Would it be possible to have the script skip this error, try a different (higher-security?) encryption type, or otherwise log the accounts as being in a different state, and proceed with the rest of the spray?

In the Usage section it says usernenum instead of userenum.

In your opinion, if one was to implement the ability to go slow, what would be your preference be for the interface?:

1. Allow subcommands to also accept one-off entries, then a user can bash loop around kerbrute

while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com --username "${name}"
done < names.txt

2. Add something like --delay <seconds> flag

kerbrute --delay 5 userenum --dc kdc.site.com -d site.com names.txt

3. Do nothing and rely on bash trickery:

while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com <(<<<"${name}")
done < names.txt

Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (23) KDC_ERR_KEY_EXPIRED Password has expired; change password to reset

KRBERR_KEY_EXPIRED should be treated as a success - appears to be that in session/session.go:TestLogin you're treating all errors as failures:
if err != nil {
return false, err
}

I think 23 should be a success? or configurable as success?

Hi,

Great tool but I keep getting the following error when attempting to bruteforce passwords:

[Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: error getting etype for pre-auth encryption < Encrypting_Error: error creating etype: unknown or unsupported EType: 0

Could be related to: jcmturner/gokrb5#157

Awesome tool.
Would love to have a timeout feature, was in a situation where the DC was barely reachable but still up and responding, kerbrute was dropping the passwordspraying attempt after a small window, tried to find a way to make the timeout infinite but could not find it. That would solve my problem and pretty sure will be useful for others.
Cheers.

Under Use in README.md you wrote "Kerbrute has three main commands:" but you list four.
bruteuser - Bruteforce a single user's password from a wordlist
bruteforce - Read username:password combos from a file or stdin and test them
passwordspray - Test a single password against a list of users
userenum - Enumerate valid domain usernames via Kerberos