7.2 - User Enum in Kerberos

User Enumeration

User Enumeration occurs when it is possible to determine valid usernames on a system implementing an authentication mechanism.

Authentication Request (username, password) -> Authenticator

This happens when the system exhibits different behaviors depending on whether a username exists in the underlying data store or not.

Typical scenarios allowing user enumeration:

Different error messages
username does not exist -> Invalid username | username does exist --> Invalid password `----
Timing differences
username does not exist -> less processing --> faster response | username does exist --> more processing -> slower response

User Enumeration` can be leveraged by attackers to gather information about a system's authentication process. By identifying valid usernames, an attacker can conduct further exploitation attempts.

For example, AS-REP roasting is a Kerberos attack requiring knowledge of a valid username. If pre-authentication is disabled for that user, the attacker can obtain an AS-REP message encrypted with the user's long-term key, opening up the possibility of offline password cracking.

User Enum in Kerberos

Kerberos allows user enumeration due to the following behaviors:

If pre-authentication is disabled for a user, submitting a valid username triggers the KDC to respond with a valid AS-REP message.
If pre-authentication is enabled, the KDC's responses differ based on username existence:
- KRB5KDC_ERR_PREAUTH_REQUIRED
  - If pre-authentication is required and the user exists
- KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
  - If the user does not exist

To perform such enumeration attacks in practice, various tools can be used:

Kerbrute: a tool to quickly bruteforce and enumerate valid Active Directory accounts via Kerberos Pre-Authentication.
Rubeus: a C# toolset for raw Kerberos interaction and abuses.
impacket/GetNPUsers.py: this script attempts to list and retrieve TGTs for users with Do not require Kerberos preauthentication enabled (UF_DONT_REQUIRE_PREAUTH).

A Practical Example

The following PowerShell script creates 5 random users selected from a pool of 100.

$users = 1..100 | ForEach-Object { "user$_" }
$iterations = 5
for ($i = 0; $i -lt $iterations; $i++) {
$randomUser = $users | Get-Random

$samAccountName = $randomUser
$userPrincipalName = "$randomUser@hexdump.lab"
$givenName = "User"
$surname = $randomUser
$password = ConvertTo-SecureString "Password123!" -AsPlainText -Force

New-ADUser -SamAccountName $samAccountName -UserPrincipalName $userPrincipalName -GivenName $givenName -Surname $surname -Name $randomUser -AccountPassword $password -Enabled $true -PassThru
}

To enumerate them, first generate the user list:

touch users.txt

for i in {1..100}; do
echo "user$i" >> users.txt
done

To enumerate usernames, use the userenum module: kerbrute userenum -d dev-angelist.lab --dc corp-dc.dev-angelist.lab users.txt To delete the created users:

$usersToDelete = @("user3", "user50", "user70", "user81", "user85")
foreach ($user in $usersToDelete) {
Remove-ADUser -Identity $user -Confirm:$false
}

Possible Remediations

To reduce the risk of user enumeration, enforce account lockout policies:

Account lockout threshold
- Defines the number of failed logins before an account is locked.
Account lockout duration
- Defines the duration before an account automatically unlocks.
Reset account lockout counter after
- Defines how long after a failed attempt the counter resets.

Other Resources

Kerberos User Enumeration HexDump YT

Previous7.1 - Kerberos Intro Next7.3 - AS-REP Roasting

Last updated 9 months ago