This article covers the Kerberos pre-authentication brute-force attack, explaining how it exploits Kerberos authentication responses to enumerate valid usernames and crack passwords. It provides mitigation techniques and detection strategies mapped to the MITRE ATT&CK framework to assist security professionals in defending against this threat. Affected: Active Directory environments, security professionals
Keypoints :
- Kerberos is a widely used authentication protocol in Active Directory (AD) environments.
- The Kerberos authentication process includes a Key Distribution Center (KDC), Authentication Server (AS), and Ticket Granting Server (TGS).
- Brute-forcing exploits distinct server responses during Kerberos authentication attempts.
- Attackers target Kerberos operations specifically on port 88 during brute-force attacks.
- AS-REQ messages generate different responses based on username validity and pre-authentication requirements.
- Metasploit modules can verify Kerberos credentials and identify account status such as valid/invalid and locked/disabled.
- Nmap can discover valid usernames via the krb5-enum-users script.
- Kerbrute is designed for verifying active directory usernames through pre-authentication techniques.
- Impacketβs GetNPUsers script assists in extracting AS-REP hashes for offline cracking.
- Rubeus can perform password brute-force attacks against all user accounts in Active Directory.
- Organizations can mitigate risks by enforcing strong password policies and monitoring event logs.
- Detection techniques include monitoring for high-frequency requests and failed authentication attempts.
Full Story: https://www.hackingarticles.in/ad-recon-kerberos-username-bruteforce/