7.2 - User Enum in Kerberos

User Enumeration

User Enumeration occurs when it is possible to determine valid usernames on a system implementing an authentication mechanism.

Authentication Request (username, password) -> Authenticator

This happens when the system exhibits different behaviors depending on whether a username exists in the underlying data store or not.

Typical scenarios allowing user enumeration:

  • Different error messages

    username does not exist -> Invalid username | username does exist --> Invalid password `----

  • Timing differences

    username does not exist -> less processing --> faster response | username does exist --> more processing -> slower response

User Enumeration` can be leveraged by attackers to gather information about a system's authentication process. By identifying valid usernames, an attacker can conduct further exploitation attempts.

For example, AS-REP roasting is a Kerberos attack requiring knowledge of a valid username. If pre-authentication is disabled for that user, the attacker can obtain an AS-REP message encrypted with the user's long-term key, opening up the possibility of offline password cracking.

User Enum in Kerberos

Kerberos allows user enumeration due to the following behaviors:

  • If pre-authentication is disabled for a user, submitting a valid username triggers the KDC to respond with a valid AS-REP message.

  • If pre-authentication is enabled, the KDC's responses differ based on username existence:

    • KRB5KDC_ERR_PREAUTH_REQUIRED

      • If pre-authentication is required and the user exists

    • KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

      • If the user does not exist

To perform such enumeration attacks in practice, various tools can be used:

  • Kerbrute: a tool to quickly bruteforce and enumerate valid Active Directory accounts via Kerberos Pre-Authentication.

  • Rubeus: a C# toolset for raw Kerberos interaction and abuses.

  • impacket/GetNPUsers.py: this script attempts to list and retrieve TGTs for users with Do not require Kerberos preauthentication enabled (UF_DONT_REQUIRE_PREAUTH).


A Practical Example

The following PowerShell script creates 5 random users selected from a pool of 100.

$users = 1..100 | ForEach-Object { "user$_" }
$iterations = 5
for ($i = 0; $i -lt $iterations; $i++) {
$randomUser = $users | Get-Random

$samAccountName = $randomUser
$userPrincipalName = "$randomUser@hexdump.lab"
$givenName = "User"
$surname = $randomUser
$password = ConvertTo-SecureString "Password123!" -AsPlainText -Force

New-ADUser -SamAccountName $samAccountName -UserPrincipalName $userPrincipalName -GivenName $givenName -Surname $surname -Name $randomUser -AccountPassword $password -Enabled $true -PassThru
}

To enumerate them, first generate the user list:

touch users.txt

for i in {1..100}; do
echo "user$i" >> users.txt
done

To enumerate usernames, use the userenum module: kerbrute userenum -d dev-angelist.lab --dc corp-dc.dev-angelist.lab users.txt To delete the created users:

$usersToDelete = @("user3", "user50", "user70", "user81", "user85")
foreach ($user in $usersToDelete) {
Remove-ADUser -Identity $user -Confirm:$false
}

Possible Remediations

To reduce the risk of user enumeration, enforce account lockout policies:

  • Account lockout threshold

    • Defines the number of failed logins before an account is locked.

  • Account lockout duration

    • Defines the duration before an account automatically unlocks.

  • Reset account lockout counter after

    • Defines how long after a failed attempt the counter resets.

Other Resources

Last updated