ropnop / kerbrute Goto Github PK
View Code? Open in Web Editor NEWA tool to perform Kerberos pre-auth bruteforcing
License: Apache License 2.0
A tool to perform Kerberos pre-auth bruteforcing
License: Apache License 2.0
kerbrute userenum --dc=192.168.10.2 -d=tester.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -v | grep 'VALID'
[-] Error: [Error Connection error (192.168.10.2:88)] [Error110] Connection timed out, ensure /etc/resolv.conf points to correct DC
Hey,
i just spend way too much time getting some creds because of this lil error (which is only shown with -v).
2020/04/18 14:57:24 > [!] XXXXX:XXXXX - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (37) KRB_AP_ERR_SKEW Clock skew too great
As far as i know, this error response only actually happens with a correct password. I think either showing the error (without -v so you can see it in all the noise) or just classifying it as a valid password would be very preferable.
Thancc
I noticed that a lot of accounts are reported as locked out, which isn't really possible with a lockout duration of 30 minutes. I checked a few accounts and noticed that they have expired months or years ago. This makes the use of --safe
pretty pointless. I guess the Kerberos error code ERR_CLIENT_REVOKED
doesn't really tell us why the credentials have been revoked, so there is not much that can be done about this. But it could be mentioned in the console output that account isn't necessarily locked, but could also be expired (or possibly disabled?).
I have kali installed on UTM kali version is
─$ uname -amr
Linux kali 5.16.0-kali1-arm64 #1 SMP Debian 5.16.7-2kali1 (2022-02-10) aarch64 GNU/Linux
┌──(kali㉿kali)-[~/Downloads/tools/kerbrute]
└─$ ./kerbrute_linux_amd64
zsh: exec format error: ./kerbrute_linux_amd64
python3 kerbrute.py -h
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
usage: kerbrute.py [-h] [-debug] (-user USER | -users USERS) [-password PASSWORD | -passwords PASSWORDS] -domain DOMAIN
[-dc-ip <ip_address>] [-threads THREADS] [-outputfile OUTPUTFILE] [-outputusers OUTPUTUSERS] [-no-save-ticket]
options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-user USER User to perform bruteforcing
-users USERS File with user per line
-password PASSWORD Password to perform bruteforcing
-passwords PASSWORDS File with password per line
-domain DOMAIN Domain to perform bruteforcing
-dc-ip <ip_address> IP Address of the domain controller
-threads THREADS Number of threads to perform bruteforcing. Default = 1
-outputfile OUTPUTFILE
File to save discovered user:password
-outputusers OUTPUTUSERS
File to save discovered users
-no-save-ticket Do not save retrieved TGTs with correct credentials
Please help this tool is very essential for me how can i make kerbrute_amd_64 work in my arm based kali
or is there any binary available for arm.
Helllo,
A small error concerning the redirection of "release" in the installation section: which redirects to https://github.com/ropnop/kerbrute/releases/tag/latest which gives a 404 error.
Wouldn't the functional link be: https://github.com/ropnop/kerbrute
I've got a Mac M1 so could we get an ARM version of this?
Pulling the latest kerbrute version (untagged):
./kerbrute passwordspray --dc -d -output Summer2020.txt valid.txt Summer2020
Error:
You must specify a password to spray with, or --user-as-pass
Every onsite pentest I have faced so far, at least a couple of users had been set with username=password.
I think it could be helpful to add to the bruteuser module some kind of username=password.
Hi, i tested this tool against a Linux DC running Kerberos and OpenLDAP ( https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend ) and noticed that all attempts failed due to the realm getting uppercased here from the domain name. While the Microsoft implementation is case insensitive (as all MS things :D), the Linux one is definitely case sensitive, meaning that a -d example.com
argument will result in EXAMPLE.COM
, which fails.
I think that uppercasing can just be removed, in which case it'll work for both implementation (and the user can just pass whatever case they want).
It would be nice to have the ability to spray user accounts with NTLM Hashes. The two main use cases I imagine for this is:
Currently, this can be done with https://github.com/3gstudent/pyKerbrute, but is an extremely hacky solution using Python2.
Hi!
I'm walking about the attacktive directory
room on THM, and in the section about kerbrute, I'm getting these outputs:
root@ip-[redacted]:~# sudo ./kerbrute userenum -v --dc spookysec.local -d spookysec.local userlist.txt -t 10
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/04/21 - Ronnie Flathers @ropnop
2021/12/04 20:06:34 > Using KDC(s):
2021/12/04 20:06:34 > spookysec.local:88
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 > [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
I've had this first come up on the AttackBox and was able to replicate on a Kali machine.
I don't know if that's on your end, but good luck!
hey there,
first of all, thanks for this great tool
I'm a red team guy and I use this tool to measure the blueteam response.
I wonder if it would be possible to add decoy mode, in other words, send spoofed ip requests like nmap does.
Thanks!
Please enable support for ARM releases
Hi, i have an issue running kerbrute, here is my output
└─$ ./kerbrute userenum --dc 10.10.190.154 -d spookysec.local ~/userlist.txt
__ __ __
/ /_____ / / _______ / /
/ //_/ _ / / __ / / / / / __/ _
/ ,< / __/ / / // / / / // / // __/
//||_// /.// _,/_/___/
Version: v1.0.0 (191510e) - 03/16/23 - Ronnie Flathers @ropnop
2023/03/16 13:52:24 > Using KDC(s):
2023/03/16 13:52:24 > 10.10.190.154:88
2023/03/16 13:52:24 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]
goroutine 24 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffd2e0162a6, 0xf, 0xc0000c0500, 0xf, 0xc0001da540, 0xc0000be100, 0x80, 0xc00013a000, 0x0, 0x0, ...)
/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc0000c81c0, 0xc0000154b0, 0x9)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc0000c81c0, 0xc000266000, 0xc0000c0c90)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c
When using the following syntax: ./kerbrute userenum -dc IPADDR /path/to/text/file
I'm receiving the error mentioned in the title. Did some googling and I can't seem to find anything to resolve what might be causing this problem. Additionally no one has raised an issue related to it yet.
Someone on Twitter mentioned that kerbrute doesn't work with proxychains. Would be cool to add a proxy option to kerbrute (not sure how well it would, but worth trying)
Hello. I tried making all but I got this message;
What can I do for this problem?
Thanks
@kali]─[/opt/kerbrute]
└──╼ $make all
Done.
Building for windows amd64..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for windows 386..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for linux amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for linux 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for mac amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for mac 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
I know this error was posted before but i can't seem to figure out how to fix it.
When trying to userenum (I'm doing the Attacking Kerberos Room on THM atm) it doesn't work so I tried -v to see what was going on.
For every single user checked it gave me this error message: "[Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated"
I don't know how to fix it.
Here might be some steps on how to replicate it (I'm using a Kali Linux VM):
Download kerbrute_linux_amd64
chmod +x kerbrute_linux_amd64
./kerbrute_linux_amd64 userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt
Edit: Only workaround i found was editing /etc/hosts with "ip CONTROLLER.local"
sorry misunderstanding
Extend the safe
mode in a new semi-safe
mode to abort after N account lockouts. Essentially, don't abort after the first lockout (probably not our fault), but instead after some user supplied number (probably our fault).
This is primarily for password sprays, but couldn't hurt to have globally.
Hello,
when I run kerbrute userenum I have this error:
kerbrute userenum -domain domain1.local -dc DC.domain1.local -users /usr/share/wordlists/kerberos-A-Z.Surnames.txt
kerbrute: error: unrecognized arguments: userenum
I don't understand this error, Can anyone help me ?
A greeting and thanks
I think this would be a good feature to show users that don't have pre-authentication required and are vulnerable to AS-REP Roasting attacks. Great project anyway
I have a text file with usernames. I supply kerbrute with the usernames and kerbrute will run through a portion and then stop. why is this?
ex - 100 usernames
only 10 usernames are run
Ignore me I didnt read closed issues
Hello,
When I use the module userenum
, an error is raised when it tries a login with the flag Do not require Kerberos preauthentication
set.
Example with only one account with the flag within the list
# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop
2019/03/24 18:32:04 > Using KDC(s):
2019/03/24 18:32:04 > 172.16.0.1:88
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]
goroutine 15 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffc3a555751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016d98, 0x3)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c
Example with a mixed list (here two accounts)
# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop
2019/03/24 17:47:58 > Using KDC(s):
2019/03/24 17:47:58 > 172.16.0.1:88
2019/03/24 17:47:58 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]
goroutine 9 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffeea75e751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016db0, 0x3)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c
As you can see, the module works perfectly against "normal" accounts but not with a Do not require Kerberos preauthentication
one.
Tested with the release version of Kerbrute against Windows Server 2012R2
🌻
[email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
Receiving the following error on some specific accounts when password spraying - believe this may point towards some protection in client environment, but haven't yet confirmed.
[Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
Would it be possible to have the script skip this error, try a different (higher-security?) encryption type, or otherwise log the accounts as being in a different state, and proceed with the rest of the spray?
In the Usage section it says usernenum instead of userenum.
In your opinion, if one was to implement the ability to go slow, what would be your preference be for the interface?:
while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com --username "${name}"
done < names.txt
--delay <seconds>
flagkerbrute --delay 5 userenum --dc kdc.site.com -d site.com names.txt
while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com <(<<<"${name}")
done < names.txt
Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (23) KDC_ERR_KEY_EXPIRED Password has expired; change password to reset
KRBERR_KEY_EXPIRED should be treated as a success - appears to be that in session/session.go:TestLogin you're treating all errors as failures:
if err != nil {
return false, err
}
I think 23 should be a success? or configurable as success?
Hi,
Great tool but I keep getting the following error when attempting to bruteforce passwords:
[Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: error getting etype for pre-auth encryption < Encrypting_Error: error creating etype: unknown or unsupported EType: 0
Could be related to: jcmturner/gokrb5#157
Awesome tool.
Would love to have a timeout feature, was in a situation where the DC was barely reachable but still up and responding, kerbrute was dropping the passwordspraying attempt after a small window, tried to find a way to make the timeout infinite but could not find it. That would solve my problem and pretty sure will be useful for others.
Cheers.
Under Use in README.md you wrote "Kerbrute has three main commands:" but you list four.
bruteuser - Bruteforce a single user's password from a wordlist
bruteforce - Read username:password combos from a file or stdin and test them
passwordspray - Test a single password against a list of users
userenum - Enumerate valid domain usernames via Kerberos
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.