Published: 19 October 2020
It is possible to brute-force Windows accounts directly, using tools like Metasploit using modules such as smb_login, which will target port 445 (SMB). However, it’s also possible to brute-force the Active Director authentication protocol Kerberos directly.
This can be beneficial to an attack for two reasons, the first is that it will be logged differently and depending on how the blue team are monitoring for attacks it might fly under the radar. A standard login attempt that fails will result in event 4625, whereas a failed Kerberos login attempt will likely result in event 4771.
However, the lockout counter will still be incremented therefore it is still possible to lock accounts through a Kerberos brute-force.
The second benefit is that it is possible that Kerberos will validate if a username is correct or not during the brute-force, which is useful if you’re also guessing usernames during the attack.
Rubeus.exe brute /users:users.txt /passwords:passwords.txt /outfile:out.txt
In the above you can see that the user “gmorris” has been revealed as valid, but the password was not determined. However the user “skelly” is shown as both valid and the password has been brute-forced.
This attack of course relies on a user passwords being brute-forceable, this is predicated on either the password being weak or the observation window being weak.
Posts broken down by category
Articles concentrating on network and operating system level attacks.
Articles covering attacks against web applications and their associated APIS.
Articles concentrating on past data breaches, looking for lessons learned.
Articles covering breaking into wireless networks and how to keep them safe.