Giter VIP home page Giter VIP logo

kerbrute's People

Contributors

audibleblink avatar ropnop avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

kerbrute's Issues

Error ensure resolv.conf

kerbrute userenum --dc=192.168.10.2 -d=tester.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -v | grep 'VALID'

[-] Error: [Error Connection error (192.168.10.2:88)] [Error110] Connection timed out, ensure /etc/resolv.conf points to correct DC

KRB_AP_ERR_SKEW treated as login failure

Hey,

i just spend way too much time getting some creds because of this lil error (which is only shown with -v).

2020/04/18 14:57:24 >  [!] XXXXX:XXXXX - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (37) KRB_AP_ERR_SKEW Clock skew too great

As far as i know, this error response only actually happens with a correct password. I think either showing the error (without -v so you can see it in all the noise) or just classifying it as a valid password would be very preferable.

Thancc

Expired accounts are reported as locked out

I noticed that a lot of accounts are reported as locked out, which isn't really possible with a lockout duration of 30 minutes. I checked a few accounts and noticed that they have expired months or years ago. This makes the use of --safe pretty pointless. I guess the Kerberos error code ERR_CLIENT_REVOKED doesn't really tell us why the credentials have been revoked, so there is not much that can be done about this. But it could be mentioned in the console output that account isn't necessarily locked, but could also be expired (or possibly disabled?).

kerbrute not working with aarch64

I have kali installed on UTM kali version is
─$ uname -amr
Linux kali 5.16.0-kali1-arm64 #1 SMP Debian 5.16.7-2kali1 (2022-02-10) aarch64 GNU/Linux

1.When running amd based elf file it throws error.

┌──(kali㉿kali)-[~/Downloads/tools/kerbrute]
└─$ ./kerbrute_linux_amd64
zsh: exec format error: ./kerbrute_linux_amd64

2. When running kerbrute.py its running fine but options like userenum doest seems to be in list.

python3 kerbrute.py -h
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

usage: kerbrute.py [-h] [-debug] (-user USER | -users USERS) [-password PASSWORD | -passwords PASSWORDS] -domain DOMAIN
[-dc-ip <ip_address>] [-threads THREADS] [-outputfile OUTPUTFILE] [-outputusers OUTPUTUSERS] [-no-save-ticket]

options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-user USER User to perform bruteforcing
-users USERS File with user per line
-password PASSWORD Password to perform bruteforcing
-passwords PASSWORDS File with password per line
-domain DOMAIN Domain to perform bruteforcing
-dc-ip <ip_address> IP Address of the domain controller
-threads THREADS Number of threads to perform bruteforcing. Default = 1
-outputfile OUTPUTFILE
File to save discovered user:password
-outputusers OUTPUTUSERS
File to save discovered users
-no-save-ticket Do not save retrieved TGTs with correct credentials

Please help this tool is very essential for me how can i make kerbrute_amd_64 work in my arm based kali

or is there any binary available for arm.

ARM version?

I've got a Mac M1 so could we get an ARM version of this?

Parsing Flags Incorrectly

Pulling the latest kerbrute version (untagged):
./kerbrute passwordspray --dc -d -output Summer2020.txt valid.txt Summer2020

Error:
You must specify a password to spray with, or --user-as-pass

Scan for user=password

Every onsite pentest I have faced so far, at least a couple of users had been set with username=password.
I think it could be helpful to add to the bruteuser module some kind of username=password.

Realm gets uppercase'd which doesn't work with Linux Kerberos 5 implementation

Hi, i tested this tool against a Linux DC running Kerberos and OpenLDAP ( https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend ) and noticed that all attempts failed due to the realm getting uppercased here from the domain name. While the Microsoft implementation is case insensitive (as all MS things :D), the Linux one is definitely case sensitive, meaning that a -d example.com argument will result in EXAMPLE.COM, which fails.

I think that uppercasing can just be removed, in which case it'll work for both implementation (and the user can just pass whatever case they want).

[Feature Request] Pass the Hash Support

It would be nice to have the ability to spray user accounts with NTLM Hashes. The two main use cases I imagine for this is:

  • Pulling an NTLM Hash off a local workstation, then spraying AD to look for password re-use
  • Testing passwords from domain controller backups (old copies of NTDS.DIT).

Currently, this can be done with https://github.com/3gstudent/pyKerbrute, but is an extremely hacky solution using Python2.

Kerbrute running into Encoding Error

Hi!

I'm walking about the attacktive directory room on THM, and in the section about kerbrute, I'm getting these outputs:

root@ip-[redacted]:~# sudo ./kerbrute userenum -v --dc spookysec.local -d spookysec.local userlist.txt -t 10

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/04/21 - Ronnie Flathers @ropnop

2021/12/04 20:06:34 >  Using KDC(s):
2021/12/04 20:06:34 >  	spookysec.local:88

2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated
2021/12/04 20:06:44 >  [!] [email protected] - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated

I've had this first come up on the AttackBox and was able to replicate on a Kali machine.

I don't know if that's on your end, but good luck!

[feature request] decoy

hey there,
first of all, thanks for this great tool
I'm a red team guy and I use this tool to measure the blueteam response.
I wonder if it would be possible to add decoy mode, in other words, send spoofed ip requests like nmap does.

Thanks!

panic: runtime error: invalid memory address or nil pointer dereference

Hi, i have an issue running kerbrute, here is my output

└─$ ./kerbrute userenum --dc 10.10.190.154 -d spookysec.local ~/userlist.txt

__             __               __     

/ /_____ / / _______ / /
/ //_/ _ / / __ / / / / / __/ _
/ ,< / __/ / / /
/ / / / /
/ / /
/ __/
/
/|
|_
// /.
// _,/_/___/

Version: v1.0.0 (191510e) - 03/16/23 - Ronnie Flathers @ropnop

2023/03/16 13:52:24 > Using KDC(s):
2023/03/16 13:52:24 > 10.10.190.154:88

2023/03/16 13:52:24 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 24 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffd2e0162a6, 0xf, 0xc0000c0500, 0xf, 0xc0001da540, 0xc0000be100, 0x80, 0xc00013a000, 0x0, 0x0, ...)
/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc0000c81c0, 0xc0000154b0, 0x9)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc0000c81c0, 0xc000266000, 0xc0000c0c90)
/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

Error: accepts 1 arg(s), received 2

When using the following syntax: ./kerbrute userenum -dc IPADDR /path/to/text/file

I'm receiving the error mentioned in the title. Did some googling and I can't seem to find anything to resolve what might be causing this problem. Additionally no one has raised an issue related to it yet.

[Feature Request] Socks proxy support

Someone on Twitter mentioned that kerbrute doesn't work with proxychains. Would be cool to add a proxy option to kerbrute (not sure how well it would, but worth trying)

Make problem

Hello. I tried making all but I got this message;
What can I do for this problem?
Thanks

@kali]─[/opt/kerbrute]
└──╼ $make all
Done.
Building for windows amd64..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for windows 386..
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for linux amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for linux 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.
Building for mac amd64...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Building for mac 386...
main.go:4:2: cannot find package "github.com/ropnop/kerbrute/cmd" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/cmd (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/cmd (from $GOPATH)
main.go:5:2: cannot find package "github.com/ropnop/kerbrute/util" in any of:
/usr/lib/go-1.11/src/github.com/ropnop/kerbrute/util (from $GOROOT)
/home/x23_11/go/src/github.com/ropnop/kerbrute/util (from $GOPATH)
Done.

Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated

I know this error was posted before but i can't seem to figure out how to fix it.
When trying to userenum (I'm doing the Attacking Kerberos Room on THM atm) it doesn't work so I tried -v to see what was going on.
For every single user checked it gave me this error message: "[Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated"
I don't know how to fix it.
Here might be some steps on how to replicate it (I'm using a Kali Linux VM):
Download kerbrute_linux_amd64
chmod +x kerbrute_linux_amd64
./kerbrute_linux_amd64 userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt

Edit: Only workaround i found was editing /etc/hosts with "ip CONTROLLER.local"

Password spray attempt increase badPwd counter by 2

Hi,

When using this tool I noticed that the badPwdCount counter increases by 2 on each password spray attempt against a user. Could you please confirm if this is a bug?

I've attached a screenshot which compares the results to cme.

image

[Feature Request] Semi-Safe mode

Extend the safe mode in a new semi-safe mode to abort after N account lockouts. Essentially, don't abort after the first lockout (probably not our fault), but instead after some user supplied number (probably our fault).

This is primarily for password sprays, but couldn't hurt to have globally.

Error execution

Hello,

when I run kerbrute userenum I have this error:

kerbrute userenum   -domain domain1.local -dc DC.domain1.local -users /usr/share/wordlists/kerberos-A-Z.Surnames.txt

kerbrute: error: unrecognized arguments: userenum

I don't understand this error, Can anyone help me ?

A greeting and thanks

Bug - kerbrute passwordspray

I have a text file with usernames. I supply kerbrute with the usernames and kerbrute will run through a portion and then stop. why is this?
ex - 100 usernames
only 10 usernames are run

panic: runtime error: invalid memory address or nil pointer dereference

Hello,
When I use the module userenum, an error is raised when it tries a login with the flag Do not require Kerberos preauthentication set.

Example with only one account with the flag within the list

# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop

2019/03/24 18:32:04 >  Using KDC(s):
2019/03/24 18:32:04 >  	172.16.0.1:88

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 15 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffc3a555751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
	/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016d98, 0x3)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
	/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

Example with a mixed list (here two accounts)

# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxxx.org user 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.0 (191510e) - 03/24/19 - Ronnie Flathers @ropnop

2019/03/24 17:47:58 >  Using KDC(s):
2019/03/24 17:47:58 >  	172.16.0.1:88

2019/03/24 17:47:58 >  [+] VALID USERNAME:	 [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6849d9]

goroutine 9 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffeea75e751, 0xa, 0xc000016580, 0xa, 0xc00017e540, 0xc00001c180, 0x70, 0xc0000e0000, 0x0, 0x0, ...)
	/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x780160, 0xc000052200, 0xc000016db0, 0x3)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2ca
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x780160, 0xc000052200, 0xc000200060, 0xc000016d80)
	/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x14a
created by github.com/ropnop/kerbrute/cmd.userEnum
	/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x17c

As you can see, the module works perfectly against "normal" accounts but not with a Do not require Kerberos preauthentication one.

Tested with the release version of Kerbrute against Windows Server 2012R2

🌻

Kerbrute erroring out on some accounts

Receiving the following error on some specific accounts when password spraying - believe this may point towards some protection in client environment, but haven't yet confirmed.

[Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type

Would it be possible to have the script skip this error, try a different (higher-security?) encryption type, or otherwise log the accounts as being in a different state, and proceed with the rest of the spray?

facilitating slower enumeration

In your opinion, if one was to implement the ability to go slow, what would be your preference be for the interface?:

  1. Allow subcommands to also accept one-off entries, then a user can bash loop around kerbrute
while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com --username "${name}"
done < names.txt
  1. Add something like --delay <seconds> flag
kerbrute --delay 5 userenum --dc kdc.site.com -d site.com names.txt
  1. Do nothing and rely on bash trickery:
while read name; do
sleep 5
kerbrute userenum --dc kdc.site.com -d site.com <(<<<"${name}")
done < names.txt

Expired passwords are treated as failures

Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (23) KDC_ERR_KEY_EXPIRED Password has expired; change password to reset

KRBERR_KEY_EXPIRED should be treated as a success - appears to be that in session/session.go:TestLogin you're treating all errors as failures:
if err != nil {
return false, err
}

I think 23 should be a success? or configurable as success?

AS_REQ PAData required

Hi,

Great tool but I keep getting the following error when attempting to bruteforce passwords:

[Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: error getting etype for pre-auth encryption < Encrypting_Error: error creating etype: unknown or unsupported EType: 0

Could be related to: jcmturner/gokrb5#157

[Feature Request] Timeout argument.

Awesome tool.
Would love to have a timeout feature, was in a situation where the DC was barely reachable but still up and responding, kerbrute was dropping the passwordspraying attempt after a small window, tried to find a way to make the timeout infinite but could not find it. That would solve my problem and pretty sure will be useful for others.
Cheers.

Typo

Under Use in README.md you wrote "Kerbrute has three main commands:" but you list four.
bruteuser - Bruteforce a single user's password from a wordlist
bruteforce - Read username:password combos from a file or stdin and test them
passwordspray - Test a single password against a list of users
userenum - Enumerate valid domain usernames via Kerberos

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.