# Enumerating AD Users ### Kerbrute - Internal AD Username Enumeration [Kerbrute](https://github.com/ropnop/kerbrute) can be a stealthier option for domain account enumeration. It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts. We will use Kerbrute in conjunction with the `jsmith.txt` or `jsmith2.txt` user lists from [Insidetrust](https://github.com/insidetrust/statistically-likely-usernames). This repository contains many different user lists that can be extremely useful when attempting to enumerate users when starting from an unauthenticated perspective. We can point Kerbrute at the DC we found earlier and feed it a wordlist. The tool is quick, and we will be provided with results letting us know if the accounts found are valid or not, which is a great starting point for launching attacks such as password spraying, which we will cover in-depth later in this module. To get started with Kerbrute, we can download [precompiled binaries](https://github.com/ropnop/kerbrute/releases/latest) for the tool for testing from Linux, Windows, and Mac, or we can compile it ourselves. This is generally the best practice for any tool we introduce into a client environment. To compile the binaries to use on the system of our choosing, we first clone the repo: **Cloning Kerbrute GitHub Repo** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ sudo git clone https://github.com/ropnop/kerbrute.git Cloning into 'kerbrute'... remote: Enumerating objects: 845, done. remote: Counting objects: 100% (47/47), done. remote: Compressing objects: 100% (36/36), done. remote: Total 845 (delta 18), reused 28 (delta 10), pack-reused 798 Receiving objects: 100% (845/845), 419.70 KiB | 2.72 MiB/s, done. Resolving deltas: 100% (371/371), done. ``` Typing `make help` will show us the compiling options available. **Listing Compiling Options** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ make help help: Show this help. windows: Make Windows x86 and x64 Binaries linux: Make Linux x86 and x64 Binaries mac: Make Darwin (Mac) x86 and x64 Binaries clean: Delete any binaries all: Make Windows, Linux and Mac x86/x64 Binaries ``` We can choose to compile just one binary or type `make all` and compile one each for use on Linux, Windows, and Mac systems (an x86 and x64 version for each). **Compiling for Multiple Platforms and Architectures** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ sudo make all go: downloading github.com/spf13/cobra v1.1.1 go: downloading github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 go: downloading github.com/ropnop/gokrb5/v8 v8.0.0-20201111231119-729746023c02 go: downloading github.com/spf13/pflag v1.0.5 go: downloading github.com/jcmturner/gofork v1.0.0 go: downloading github.com/hashicorp/go-uuid v1.0.2 go: downloading golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 go: downloading github.com/jcmturner/rpc/v2 v2.0.2 go: downloading github.com/jcmturner/dnsutils/v2 v2.0.0 go: downloading github.com/jcmturner/aescts/v2 v2.0.0 go: downloading golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa cd /tmp/kerbrute rm -f kerbrute kerbrute.exe kerbrute kerbrute.exe kerbrute.test kerbrute.test.exe kerbrute.test kerbrute.test.exe main main.exe rm -f /root/go/bin/kerbrute Done. Building for windows amd64.. ``` The newly created `dist` directory will contain our compiled binaries. **Listing the Compiled Binaries in dist** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ ls dist/ kerbrute_darwin_amd64 kerbrute_linux_386 kerbrute_linux_amd64 kerbrute_windows_386.exe kerbrute_windows_amd64.exe ``` We can then test out the binary to make sure it works properly. We will be using the x64 version on the supplied Parrot Linux attack host in the target environment. **Testing the kerbrute\_linux\_amd64 Binary** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ ./kerbrute_linux_amd64 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: dev (9cfb81e) - 02/17/22 - Ronnie Flathers @ropnop This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication. It is designed to be used on an internal Windows domain with access to one of the Domain Controllers. Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts Usage: kerbrute [command] ``` We can add the tool to our PATH to make it easily accessible from anywhere on the host. **Adding the Tool to our Path** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ echo $PATH /home/htb-student/.local/bin:/snap/bin:/usr/sandbox/:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/share/games:/usr/local/sbin:/usr/sbin:/sbin:/snap/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home/htb-student/.dotnet/tools ``` **Moving the Binary** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute ``` We can now type `kerbrute` from any location on the system and will be able to access the tool. Feel free to follow along on your system and practice the above steps. Now let's run through an example of using the tool to gather an initial username list. **Enumerating Users with Kerbrute** Initial Enumeration of the Domain ```shell-session ammartiger@htb[/htb]$ kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users 2021/11/17 23:01:46 > Using KDC(s): 2021/11/17 23:01:46 > 172.16.5.5:88 2021/11/17 23:01:46 > [+] VALID USERNAME: jjones@INLANEFREIGHT.LOCAL 2021/11/17 23:01:46 > [+] VALID USERNAME: sbrown@INLANEFREIGHT.LOCAL 2021/11/17 23:01:46 > [+] VALID USERNAME: tjohnson@INLANEFREIGHT.LOCAL 2021/11/17 23:01:50 > [+] VALID USERNAME: evalentin@INLANEFREIGHT.LOCAL 2021/11/17 23:01:51 > [+] VALID USERNAME: sgage@INLANEFREIGHT.LOCAL 2021/11/17 23:01:51 > [+] VALID USERNAME: jshay@INLANEFREIGHT.LOCAL 2021/11/17 23:01:51 > [+] VALID USERNAME: jhermann@INLANEFREIGHT.LOCAL 2021/11/17 23:01:51 > [+] VALID USERNAME: whouse@INLANEFREIGHT.LOCAL 2021/11/17 23:01:51 > [+] VALID USERNAME: emercer@INLANEFREIGHT.LOCAL 2021/11/17 23:01:52 > [+] VALID USERNAME: wshepherd@INLANEFREIGHT.LOCAL 2021/11/17 23:01:56 > Done! Tested 48705 usernames (56 valid) in 9.940 seconds ``` We can see from our output that we validated 56 users in the INLANEFREIGHT.LOCAL domain and it took only a few seconds to do so. Now we can take these results and build a list for use in targeted password spraying attacks. ### Identifying Potential Vulnerabilities The [local system](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account) account `NT AUTHORITY\SYSTEM` is a built-in account in Windows operating systems. It has the highest level of access in the OS and is used to run most Windows services. It is also very common for third-party services to run in the context of this account by default. A `SYSTEM` account on a `domain-joined` host will be able to enumerate Active Directory by impersonating the computer account, which is essentially just another kind of user account. Having SYSTEM-level access within a domain environment is nearly equivalent to having a domain user account. There are several ways to gain SYSTEM-level access on a host, including but not limited to: * Remote Windows exploits such as MS08-067, EternalBlue, or BlueKeep. * Abusing a service running in the context of the `SYSTEM account`, or abusing the service account `SeImpersonate` privileges using [Juicy Potato](https://github.com/ohpe/juicy-potato). This type of attack is possible on older Windows OS' but not always possible with Windows Server 2019. * Local privilege escalation flaws in Windows operating systems such as the Windows 10 Task Scheduler 0-day. * Gaining admin access on a domain-joined host with a local account and using Psexec to launch a SYSTEM cmd window By gaining SYSTEM-level access on a domain-joined host, you will be able to perform actions such as, but not limited to: * Enumerate the domain using built-in tools or offensive tools such as BloodHound and PowerView. * Perform Kerberoasting / ASREPRoasting attacks within the same domain. * Run tools such as Inveigh to gather Net-NTLMv2 hashes or perform SMB relay attacks. * Perform token impersonation to hijack a privileged domain user account. * Carry out ACL attacks. *** ### A Word Of Caution Keep the scope and style of the test in mind when choosing a tool for use. If you are performing a non-evasive penetration test, with everything out in the open and the customer's staff knowing you are there, it doesn't typically matter how much noise you make. However, during an evasive penetration test, adversarial assessment, or red team engagement, you are trying to mimic a potential attacker's Tools, Tactics, and Procedures. With that in mind, `stealth` is of concern. Throwing Nmap at an entire network is not exactly quiet, and many of the tools we commonly use on a penetration test will trigger alarms for an educated and prepared SOC or Blue Teamer. Always be sure to clarify the goal of your assessment with the client in writing before it begins. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/active-directory/initial-enumeration-of-ad/enumerating-ad-users.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.