Username Enumeration
It is possible to enumerate valid usernames without authentication by sending TGT requests with no pre-authentication.
Last updated
It is possible to enumerate valid usernames without authentication by sending TGT requests with no pre-authentication.
Last updated
To implement the attack we need to create a couple users with easy guessable usernames. To do this we can choose some usernames from a popular from the repository. We will create the following users:
2. Previously we created users by using the GUI. Now we will create users using PowerShell. Create the file users.txt
and place the usernames in there. Then create the users:
3. Run the command below to get a list of all the users and check if the users are created:
To enumerate usernames, send TGT requests with no pre-authentication. If the KDC responds with a
PRINCIPAL UNKNOWN
error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists.
3. After downloading the tool and the username list run Kerbrute against the domain amsterdam.bank.local
and DC 10.0.0.3
. Pipe the command to tee
to save the output to the txt file username_enum.txt
.
These valid users can be used for AS-REP roasting or Password Spraying Attacks. For now save these users to usernames.txt
.
4. To only get a list of usernames execute the following which will cut the output to only get the usernames, changes everything to lowercase and sorting for unique entries:
5. From here we can execute the following attacks to gain access to the domain:
I don't know any configurations to block the enumeration of usernames. The best way to block this is using a non traditional naming convention for the samaccountnames.
Work in Progress
Source: __
To enumerate usernames we can use the tool . To install Kerbrute on Kali download the latest from GitHub and save it somewhere. I would recommend /opt
.
2. For the list of usernames download the list from .
The attack generates the Windows event ID "A Kerberos authentication ticket (TGT) was requested" if Kerberos logging is enabled.