7.2 - User Enum in Kerberos
User Enumeration
User Enumeration occurs when it is possible to determine valid usernames on a system implementing an authentication mechanism.
Authentication Request (username, password) -> Authenticator
This happens when the system exhibits different behaviors depending on whether a username exists in the underlying data store or not.
Typical scenarios allowing user enumeration:
Different error messages
username does not exist -> Invalid username | username does exist --> Invalid password `----
Timing differences
username does not exist -> less processing --> faster response | username does exist --> more processing -> slower response
User Enumeration` can be leveraged by attackers to gather information about a system's authentication process. By identifying valid usernames, an attacker can conduct further exploitation attempts.
For example, AS-REP roasting is a Kerberos attack requiring knowledge of a valid username. If pre-authentication is disabled for that user, the attacker can obtain an AS-REP message encrypted with the user's long-term key, opening up the possibility of offline password cracking.
User Enum in Kerberos
Kerberos allows user enumeration due to the following behaviors:
If pre-authentication is disabled for a user, submitting a valid username triggers the KDC to respond with a valid
AS-REPmessage.If pre-authentication is enabled, the KDC's responses differ based on username existence:
KRB5KDC_ERR_PREAUTH_REQUIREDIf pre-authentication is required and the user exists
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWNIf the user does not exist
To perform such enumeration attacks in practice, various tools can be used:
Kerbrute: a tool to quickly bruteforce and enumerate valid Active Directory accounts via Kerberos Pre-Authentication.
Rubeus: a C# toolset for raw Kerberos interaction and abuses.
impacket/GetNPUsers.py: this script attempts to list and retrieve TGTs for users with
Do not require Kerberos preauthenticationenabled (UF_DONT_REQUIRE_PREAUTH).
A Practical Example
The following PowerShell script creates 5 random users selected from a pool of 100.
$users = 1..100 | ForEach-Object { "user$_" }
$iterations = 5
for ($i = 0; $i -lt $iterations; $i++) {
$randomUser = $users | Get-Random
$samAccountName = $randomUser
$userPrincipalName = "$randomUser@hexdump.lab"
$givenName = "User"
$surname = $randomUser
$password = ConvertTo-SecureString "Password123!" -AsPlainText -Force
New-ADUser -SamAccountName $samAccountName -UserPrincipalName $userPrincipalName -GivenName $givenName -Surname $surname -Name $randomUser -AccountPassword $password -Enabled $true -PassThru
}To enumerate them, first generate the user list:
touch users.txt
for i in {1..100}; do
echo "user$i" >> users.txt
doneTo enumerate usernames, use the userenum module:
kerbrute userenum -d dev-angelist.lab --dc corp-dc.dev-angelist.lab users.txt
To delete the created users:
$usersToDelete = @("user3", "user50", "user70", "user81", "user85")
foreach ($user in $usersToDelete) {
Remove-ADUser -Identity $user -Confirm:$false
}Possible Remediations
To reduce the risk of user enumeration, enforce account lockout policies:
Account lockout threshold
Defines the number of failed logins before an account is locked.
Account lockout duration
Defines the duration before an account automatically unlocks.
Reset account lockout counter after
Defines how long after a failed attempt the counter resets.
Other Resources
Last updated