User Spraying

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit

Vulnerability

Kerberos protocol implementation makes possible to request a TGT as soon as you know the username of a domain user. If you get an AS-REP, it means the domain user exists. You can leverage this behavior to perform user spraying.

Prerequisites

  • Having a network access to the Domain Controller.
  • Kerberos protocol is enabled (port 88 by default).

Exploit

To perform this attack, use Kerbrute.

kerbrute userenum -d $Domain --dc $DomainControllerIP usernames.txt