Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usernames are case sensitive when using brute command (and asktgt with AES) #119

Open
VbScrub opened this issue Dec 2, 2021 · 0 comments
Open

Usernames are case sensitive when using brute command (and asktgt with AES) #119

VbScrub opened this issue Dec 2, 2021 · 0 comments

Comments

@VbScrub
Copy link
Contributor

VbScrub commented Dec 2, 2021

If there is a user account with its username in AD set as "test" (all lowercase) and you try to use brute with the username in capitals, it tells me the credentials were not valid:

Rubeus.exe brute /domain:kerb.local /user:TEST /password:testpwd /verbose

[*] Action: Perform Kerberos Brute Force
[+] Valid user => TEST
[-] Done: No credentials were discovered :'(

The same is true for asktgt if you tell it to encrypt the password for you using any of the AES methods:

Rubeus.exe asktgt /domain:kerb.local /user:TEST /password:testpwd /enctype:aes128

[*] Action: Ask TGT
[*] Using aes128_cts_hmac_sha1 hash: F1FA0702BBA3EA5F89BABE017637D6E7
[*] Building AS-REQ (w/ preauth) for: 'kerb.local\TEST'
[X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED

But if you just change the username to match the exact case it is in AD (all lowercase in this example) then both of the above examples work fine:

Rubeus.exe brute /domain:kerb.local /user:test /password:testpwd /verbose

[*] Action: Perform Kerberos Brute Force
[+] STUPENDOUS => test:testpwd
[*] Saved TGT into test.kirbi
[+] Done

The "fix" for this is to send an initial AS-REQ without any preauth data and then grab the PA-ETYPE-INFO2 structure from the e-data field included in the error message the server responds with. This contains the salt for AES encryption for this user and in the exact case it needs to be in.

I've implemented this in my GUI fork but as I've made some fairly big changes that help support this, I can't easily port it to a PR here. Plus I'm not sure you guys would even think its worth the trade off to have to send an extra AS-REQ every time just to fix this. Anyway if someone does want to tackle it, these bits from my fork should be fairly easily transferrable to get started:
https://github.com/VbScrub/Rubeus-GUI/blob/GUI-master/Rubeus/lib/krb_structures/PA_ETYPE_INFO2.cs
https://github.com/VbScrub/Rubeus-GUI/blob/GUI-master/Rubeus/lib/krb_structures/PA_DATA.cs#L112-L145
https://github.com/VbScrub/Rubeus-GUI/blob/GUI-master/Rubeus/lib/krb_structures/KRB_ERROR.cs#L66-L77
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VbScrub