Comments (19)
Thanks for testing this out! Someone brought this up to me right after my Troopers talk and I realized that I completely overlooked that some accounts might have pre-auth disabled and had no idea how the program would respond (now I know - not well!)
It should be a fairly easy fix I'll try to get it to it this weekend. I need to investigate how passwordspray
is affected too. I'll share a branch when I get it working for you to verify
from kerbrute.
Someone brought this up to me right after my Troopers
Spoiler, it was my colleague haha.
According to my tests passwordspray
and bruteuser
are not impacted by pre-auth disabled.
🌻
from kerbrute.
Ha nice! Okay can you try building the binary from this branch and re-test with your users? https://github.com/ropnop/kerbrute/tree/fix/no_preauth
Tested on my end. Basically it was unsafe to assume I would always get an error after the ASREQ so if there's no error, I test if I got a valid ASREP and if so, the username therefore exists
Let me know if it's working for you and I'll merge the PR
from kerbrute.
PR here if you want to see what changed: #6
from kerbrute.
Hey!
Still got the error with the no_preauth
(61dab93) branch :/
./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (61dab93) - 04/01/19 - Ronnie Flathers @ropnop
2019/04/01 21:39:05 > Using KDC(s):
2019/04/01 21:39:05 > 172.16.0.1:88
2019/04/01 21:39:05 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x68dc99]
goroutine 8 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffc5d3bc751, 0xa, 0xc000016560, 0xa, 0xc0000d0690, 0xc00001c180, 0x70, 0xc0000ca000, 0x0, 0x0, ...)
/root/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x79d6c0, 0xc000052240, 0xc000016c26, 0x3)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2c0
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x79d6c0, 0xc000052240, 0xc0000574a0, 0xc000016bf0)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x147
created by github.com/ropnop/kerbrute/cmd.userEnum
/root/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x199
🌻
from kerbrute.
Ughh hmm I'm not sure what's going on. Can you try the branch again with the latest commit? My only guess is that err
is nil but it's trying to "handle" it, so I added a check. If that doesn't work, I might have to throw in some debug statements into the code and see your output
from kerbrute.
Same with 7fa8001
# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (7fa8001) - 04/01/19 - Ronnie Flathers @ropnop
2019/04/01 21:56:47 > Using KDC(s):
2019/04/01 21:56:47 > 172.16.0.1:88
2019/04/01 21:56:47 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x68dc99]
goroutine 8 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffdfbaf9751, 0xa, 0xc000016560, 0xa, 0xc0000d0690, 0xc00001c180, 0x70, 0xc0000ca000, 0x0, 0x0, ...)
/root/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x79d6c0, 0xc000052240, 0xc000016c20, 0x6)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2c0
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x79d6c0, 0xc000052240, 0xc0000574a0, 0xc000016bf0)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x147
created by github.com/ropnop/kerbrute/cmd.userEnum
/root/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x199
from kerbrute.
Ugh sorry. I added some new log statements to help me understand what's going on. Can you build from latest on that branch again and try running with the -v
option for more debug logging and -t 1
just to do it single threaded and show me the output? Thanks for helping me out here!
from kerbrute.
More strange behavior (sorry 😄 )
When I boot my linux VM, the VM is not correctly sync with the NTP so the Linux VM date is not the same as the Windows date.
./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (97615a4) - 04/01/19 - Ronnie Flathers @ropnop
2019/04/01 22:01:48 > Using KDC(s):
2019/04/01 22:01:48 > 172.16.0.1:88
2019/04/01 22:01:48 > [+] VALID USERNAME: [email protected]
2019/04/01 22:01:48 > [+] VALID USERNAME: [email protected]
2019/04/01 22:01:48 > Done! Tested 4 usernames (2 valid) in 0.011 seconds
as you can see userenum
finds two accounts and ignores the problematic one (with Do not require Kerberos preauthentication
). The error raised (with the -v
flag) is 2019/04/01 22:03:09 > [!] [email protected] - KRB Error: (11) KDC_ERR_NEVER_VALID Requested starttime is later than end time
.
Now, if I set the same NTP time on the Windows and on the Linux:
# ./kerbrute_linux_amd64 userenum -v -t 1 --dc 172.16.0.1 -d xxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (97615a4) - 04/04/19 - Ronnie Flathers @ropnop
2019/04/04 20:54:32 > Using KDC(s):
2019/04/04 20:54:32 > 172.16.0.1:88
2019/04/04 20:54:32 > [+] VALID USERNAME: [email protected]
2019/04/04 20:54:32 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x68dc99]
goroutine 6 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffc24a10751, 0xa, 0xc000016560, 0xa, 0xc0000d0690, 0xc00001c180, 0x70, 0xc0000ca000, 0x1, 0x0, ...)
/root/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x29
github.com/ropnop/kerbrute/cmd.testUsername(0x79d6c0, 0xc000052240, 0xc000016c60, 0x6)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2c0
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x79d6c0, 0xc000052240, 0xc0000574a0, 0xc000016bf0)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x147
created by github.com/ropnop/kerbrute/cmd.userEnum
/root/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x199
Here the debug message is not even trigger (-v
is set).
🌻
from kerbrute.
lol wat. okay theres something seriously wonky with my Go. I can recreate the crash now...but only with the binary. Running it in a debugger or with go run
doesn't cause the crash. I'm gonna have to investigate more. This is testing the limits of my golang knowledge
kerbrute.exe userenum -d lab.ropnop.com -t 1 -v athomas.lst
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 04/04/19 - Ronnie Flathers @ropnop
2019/04/04 23:05:28 > Using KDC(s):
2019/04/04 23:05:28 > pdc01.lab.ropnop.com:88
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0x674750]
goroutine 20 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0xc0000540b0, 0xe, 0xc0000543b0, 0xe, 0xc0000677d0, 0xc0000d6080, 0x43, 0xc0000ec000, 0x1, 0x0, ...)
C:/Users/ronnie/Go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x30
github.com/ropnop/kerbrute/cmd.testUsername(0x769580, 0xc000050200, 0xc000054788, 0x7)
C:/Users/ronnie/Go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x2d1
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x769580, 0xc000050200, 0xc00008b020, 0xc000054760)
C:/Users/ronnie/Go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x151
created by github.com/ropnop/kerbrute/cmd.userEnum
C:/Users/ronnie/Go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x183
But...
go run main.go userenum -d lab.ropnop.com -t 1 -v athomas.lst
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 04/04/19 - Ronnie Flathers @ropnop
2019/04/04 23:06:28 > Using KDC(s):
2019/04/04 23:06:28 > pdc01.lab.ropnop.com:88
2019/04/04 23:06:28 > [+] VALID USERNAME: [email protected]
2019/04/04 23:06:28 > Done! Tested 1 usernames (1 valid) in 0.014 seconds
from kerbrute.
And now it's not crashing on me anymore and I can't debug. Since you seem to consistently get crashes, can you try building with go build -race
then running the binary just to see if it detects a race condition? This is such a bizarre, randomly occurring crash (at least for me) that I'm thinking it has to be an edge race condition somewhere. Thanks for you help!
from kerbrute.
Compiled with -race
# ./kerbrute_race_linux_amd64 userenum --dc 172.16.0.1 -d xxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (97615a4) - 04/07/19 - Ronnie Flathers @ropnop
2019/04/07 16:36:29 > Using KDC(s):
2019/04/07 16:36:29 > 172.16.0.1:88
2019/04/07 16:36:29 > [+] VALID USERNAME: [email protected]
2019/04/07 16:36:29 > [+] VALID USERNAME: [email protected]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x7dd5f7]
goroutine 6 [running]:
github.com/ropnop/kerbrute/session.KerbruteSession.HandleKerbError(0x7ffceb400747, 0xa, 0xc0000165a0, 0xa, 0xc000110690, 0xc00001c180, 0x70, 0xc0000e4000, 0x0, 0x0, ...)
/root/go/src/github.com/ropnop/kerbrute/session/session.go:110 +0x37
github.com/ropnop/kerbrute/cmd.testUsername(0x90baa0, 0xc000052240, 0xc000016c94, 0x6)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:84 +0x40e
github.com/ropnop/kerbrute/cmd.makeEnumWorker(0x90baa0, 0xc000052240, 0xc0000574a0, 0xc000016c70)
/root/go/src/github.com/ropnop/kerbrute/cmd/worker.go:50 +0x174
created by github.com/ropnop/kerbrute/cmd.userEnum
/root/go/src/github.com/ropnop/kerbrute/cmd/userenum.go:46 +0x22d
from kerbrute.
Hmm okay, thanks. How large is your username list? is it just a few usernames? Still trying to track this behavior down
from kerbrute.
Hmm this strange to me, in your original error messages, its showing that the panic is on line 110: /root/go/src/github.com/ropnop/kerbrute/session/session.go:110
That makes sense since the panic is being caused by err
being nil and therefore https://github.com/ropnop/kerbrute/blob/master/session/session.go#L110 throws a panic since nil can't be called.
In your latest error message (and when it was erroring for me), it's being thrown on the same line? But that line should be difference since I added more code. The panic should be happening on line 118: https://github.com/ropnop/kerbrute/blob/fix/no_preauth/session/session.go#L118
Can you verify in your source code what line 110 is and that session.go
has my changes?
Maybe try running go clean -i -n github.com/ropnop/kerbrute
before running go build -a
?
from kerbrute.
Just to verify theres no weird caching or anything, this Linux binary works fine on my system. Can you try it from your kali box?
from kerbrute.
Your build is ok !
# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (97615a4) - 04/11/19 - Ronnie Flathers @ropnop
2019/04/11 22:59:53 > Using KDC(s):
2019/04/11 22:59:53 > 172.16.0.1:88
2019/04/11 22:59:53 > [+] VALID USERNAME: [email protected]
2019/04/11 22:59:53 > [+] VALID USERNAME: [email protected]
2019/04/11 22:59:53 > [+] VALID USERNAME: [email protected]
2019/04/11 22:59:53 > Done! Tested 3 usernames (3 valid) in 0.003 seconds
but not reproducible in my lab with the following setup:
root@debian64bit:~/go# ls
bin src
root@debian64bit:~/go# git clone https://github.com/ropnop/kerbrute.git
Cloning into 'kerbrute'...
remote: Enumerating objects: 82, done.
remote: Counting objects: 100% (82/82), done.
remote: Compressing objects: 100% (26/26), done.
remote: Total 641 (delta 55), reused 76 (delta 52), pack-reused 559
Receiving objects: 100% (641/641), 344.59 KiB | 0 bytes/s, done.
Resolving deltas: 100% (251/251), done.
root@debian64bit:~/go# cd kerbrute/
root@debian64bit:~/go/kerbrute# git checkout fix/no_preauth
Branch fix/no_preauth set up to track remote branch fix/no_preauth from origin.
Switched to a new branch 'fix/no_preauth'
root@debian64bit:~/go/kerbrute# make linux
Building for linux amd64...
Building for linux 386...
Done.
root@debian64bit:~/go/kerbrute# cd dist/
My go skill is really weak, maybe I do it wrong
from kerbrute.
Yay well it's good i'm not going crazy and that binary does work! I have no idea what's going on TBH. I'm pretty new to Go myself, and this build behaivor is very strange to me.
Since it seems like the issue is fixed, I'm going to merge into master and cut a new release. When that's done if you could test and verify one more time i'll close this out.
Thanks so much for your patience and helping me troubleshoot!
from kerbrute.
Can you download one of the latest releases and verify it works as expected with a user with preauth disabled? https://github.com/ropnop/kerbrute/releases/tag/v1.0.1
from kerbrute.
🎉 Seems work with the two types of account. Nice :)
# ./kerbrute_linux_amd64 userenum --dc 172.16.0.1 -d xxx.org user
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.1 (385cb2b) - 04/16/19 - Ronnie Flathers @ropnop
2019/04/16 20:44:17 > Using KDC(s):
2019/04/16 20:44:17 > 172.16.0.1:88
2019/04/16 20:44:17 > [+] VALID USERNAME: [email protected]
2019/04/16 20:44:17 > [+] VALID USERNAME: [email protected]
2019/04/16 20:44:17 > [+] VALID USERNAME: [email protected]
2019/04/16 20:44:17 > Done! Tested 3 usernames (3 valid) in 0.010 seconds
🌻
from kerbrute.
Related Issues (20)
- Typo HOT 2
- [Feature Request] Pass the Hash Support HOT 3
- Please delete
- [feature request] decoy
- Kerbrute erroring out on some accounts HOT 1
- Error: accepts 1 arg(s), received 2 HOT 1
- Kerbrute running into Encoding Error HOT 6
- KDC ERROR - Wrong Realm.
- ARM version? HOT 5
- close
- Encoding_Error: failed to unmarshal KDC's reply: asn1: syntax error: sequence truncated HOT 4
- kerbrute not working with aarch64 HOT 2
- Error execution
- [Feature Request] Semi-Safe mode
- Password spray attempt increase badPwd counter by 2 HOT 2
- ARM binary support HOT 1
- panic: runtime error: invalid memory address or nil pointer dereference
- Error ensure resolv.conf
- Realm gets uppercase'd which doesn't work with Linux Kerberos 5 implementation
- Error on redirection on the "release" link
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kerbrute.