KRB_AP_ERR_SKEW treated as login failure about kerbrute HOT 6 CLOSED

good project

from kerbrute.

you need update you system time as same with server. i try it, has got TGT

from kerbrute.

you need update you system time as same with server. i try it, has got TGT

Whilst syncing your clock with the victim server would indeed fix this specific case. It is not the point of this issue. The clock skew error only, as far as OP can tell, appears when a login attempt is made with valid credentials, as such this behavior can cause a lot of false negatives in cases where server clock sync is either not possible or impractical. Therefore, it would be great if kerbrute at least mentioned the clock skew error.

from kerbrute.

Thanks for pointing this out! I’m gonna have to do some testing cuz I would really want to make sure that error only occurs when credentials are valid before marking it as a “success”. The other alternative might be to just abort the attack and display a warning with the correct command to sync your time?

from kerbrute.

The warning would work too but many kerberos tools work without syncing time so it would be very convenient to just mark it as a successful login.

I did use CrackMapExec with a desynced clock and it worked fine so im guessting they ignore it too.
Im 99% sure this error only occurs with valid credentials but ive been unable to find any documentation explicitly stating that so testing is indeed needed ^^

from kerbrute.

Cool, so after testing more i'm 99% confident that seeing a clock skew error means the password is correct - how else would the KDC decrypt the AS and compare the timestamp? I pushed an update to treat it as a success

But I noticed other errors that occasionally pop up when your clock skew is incorrect (esp with pre-auth disabled), so I need to address that as well. Will do a bigger update on error handling next

from kerbrute.