Rubeus icon indicating copy to clipboard operation
Rubeus copied to clipboard

Published 20 hours ago verified publisher icon GhostPack

Usernames are case sensitive when using brute command (and asktgt with AES)

Open VbScrub opened this issue 3 years ago • 0 comments

If there is a user account with its username in AD set as "test" (all lowercase) and you try to use brute with the username in capitals, it tells me the credentials were not valid:

Rubeus.exe brute /domain:kerb.local /user:TEST /password:testpwd /verbose

[*] Action: Perform Kerberos Brute Force
[+] Valid user => TEST
[-] Done: No credentials were discovered :'(

The same is true for asktgt if you tell it to encrypt the password for you using any of the AES methods:

Rubeus.exe asktgt /domain:kerb.local /user:TEST /password:testpwd /enctype:aes128

[*] Action: Ask TGT
[*] Using aes128_cts_hmac_sha1 hash: F1FA0702BBA3EA5F89BABE017637D6E7
[*] Building AS-REQ (w/ preauth) for: 'kerb.local\TEST'
[X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED

But if you just change the username to match the exact case it is in AD (all lowercase in this example) then both of the above examples work fine:

Rubeus.exe brute /domain:kerb.local /user:test /password:testpwd /verbose

[*] Action: Perform Kerberos Brute Force
[+] STUPENDOUS => test:testpwd
[*] Saved TGT into test.kirbi
[+] Done

The "fix" for this is to send an initial AS-REQ without any preauth data and then grab the PA-ETYPE-INFO2 structure from the e-data field included in the error message the server responds with. This contains the salt for AES encryption for this user and in the exact case it needs to be in.

I've implemented this in my GUI fork but as I've made some fairly big changes that help support this, I can't easily port it to a PR here. Plus I'm not sure you guys would even think its worth the trade off to have to send an extra AS-REQ every time just to fix this. Anyway if someone does want to tackle it, these bits from my fork should be fairly easily transferrable to get started: https://github.com/VbScrub/Rubeus-GUI/blob/GUI-master/Rubeus/lib/krb_structures/PA_ETYPE_INFO2.cs https://github.com/VbScrub/Rubeus-GUI/blob/GUI-master/Rubeus/lib/krb_structures/PA_DATA.cs#L112-L145 https://github.com/VbScrub/Rubeus-GUI/blob/GUI-master/Rubeus/lib/krb_structures/KRB_ERROR.cs#L66-L77

VbScrub avatar Dec 02 '21 05:12 VbScrub