Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • User Enumeration
  • User Enum in Kerberos
  • A Practical Example
  • Possible Remediations
  • Other Resources
  1. Certified Red Team Professional (CRTP) - Notes
  2. 7 - Kerberos Attack and Privelege Escalation

7.2 - User Enum in Kerberos

User Enumeration

User Enumeration occurs when it is possible to determine valid usernames on a system implementing an authentication mechanism.

Authentication Request (username, password) -> Authenticator

This happens when the system exhibits different behaviors depending on whether a username exists in the underlying data store or not.

Typical scenarios allowing user enumeration:

  • Different error messages

    username does not exist -> Invalid username | username does exist --> Invalid password `----

  • Timing differences

    username does not exist -> less processing --> faster response | username does exist --> more processing -> slower response

User Enumeration` can be leveraged by attackers to gather information about a system's authentication process. By identifying valid usernames, an attacker can conduct further exploitation attempts.

For example, AS-REP roasting is a Kerberos attack requiring knowledge of a valid username. If pre-authentication is disabled for that user, the attacker can obtain an AS-REP message encrypted with the user's long-term key, opening up the possibility of offline password cracking.

User Enum in Kerberos

Kerberos allows user enumeration due to the following behaviors:

  • If pre-authentication is disabled for a user, submitting a valid username triggers the KDC to respond with a valid AS-REP message.

  • If pre-authentication is enabled, the KDC's responses differ based on username existence:

    • KRB5KDC_ERR_PREAUTH_REQUIRED

      • If pre-authentication is required and the user exists

    • KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

      • If the user does not exist

To perform such enumeration attacks in practice, various tools can be used:

  • impacket/GetNPUsers.py: this script attempts to list and retrieve TGTs for users with Do not require Kerberos preauthentication enabled (UF_DONT_REQUIRE_PREAUTH).


A Practical Example

The following PowerShell script creates 5 random users selected from a pool of 100.

$users = 1..100 | ForEach-Object { "user$_" }
$iterations = 5
for ($i = 0; $i -lt $iterations; $i++) {
$randomUser = $users | Get-Random

$samAccountName = $randomUser
$userPrincipalName = "$randomUser@hexdump.lab"
$givenName = "User"
$surname = $randomUser
$password = ConvertTo-SecureString "Password123!" -AsPlainText -Force

New-ADUser -SamAccountName $samAccountName -UserPrincipalName $userPrincipalName -GivenName $givenName -Surname $surname -Name $randomUser -AccountPassword $password -Enabled $true -PassThru
}

To enumerate them, first generate the user list:

touch users.txt

for i in {1..100}; do
echo "user$i" >> users.txt
done

To enumerate usernames, use the userenum module: kerbrute userenum -d dev-angelist.lab --dc corp-dc.dev-angelist.lab users.txt To delete the created users:

$usersToDelete = @("user3", "user50", "user70", "user81", "user85")
foreach ($user in $usersToDelete) {
Remove-ADUser -Identity $user -Confirm:$false
}

Possible Remediations

To reduce the risk of user enumeration, enforce account lockout policies:

  • Account lockout threshold

    • Defines the number of failed logins before an account is locked.

  • Account lockout duration

    • Defines the duration before an account automatically unlocks.

  • Reset account lockout counter after

    • Defines how long after a failed attempt the counter resets.

Other Resources

Previous7.1 - Kerberos IntroNext7.3 - AS-REP Roasting

Last updated 2 months ago

: a tool to quickly bruteforce and enumerate valid Active Directory accounts via Kerberos Pre-Authentication.

: a C# toolset for raw Kerberos interaction and abuses.

📝
9️⃣
Kerbrute
Rubeus
Kerberos User Enumeration HexDump YT