The Russian Kerbrute by Ivan Glinkin

The first thing every penetration tester performs getting into a controller domain subnet is to brute force discovery of users which is called a Kerbrute attack. There are plenty of articles about that type of exploitation but in every source an author uses a preset dictionary for his purposes which is no so perfectly related to the real life. Today I will try to fill this gap and create a universal working dictionary for Kerbrute attack in the Russian AD.

The concept

Active Directory Domain Services known as AD DS stores information about the domain’s members, including devices and users, verifies their credentials and defines their access rights.

Enumerating users aka Kerbrute attack allows you to reveal which users accounts are on the domain for further attacking and escalating the privileges.

Depending on your preference you may use any related application. I prefer using kerberos_enumusers module within Metasploit (use auxiliary/gather/kerberos_enumusers).

use auxiliary/gather/kerberos_enumusers

Once enumeration is completed, we can find all the domain users.

The_Russian_Kerbrute_002
creds
The next thing we have to do is to understand how domain administrators create users in the domain, or, to be more specific, what is the pattern for usernames.

The best practice for the corporate usernames is to combine person’s surname and the first letter of his name, for instance, in my case, iglinkin@corporate.local. Truthfully saying, the pattern depends on the company’s security policy and may also be the next: i.glinkin@corporate.localivanglinkin@corporate.localglinkini@corporate.localglinkin.i@corporate.localglinkinivan@corporate.local or even just a second name – glinkin@corporate.local.

Let’s find out the real cases. We will start with Microsoft where using NSurname@microsoft.com (https://www.microsoft.com/en-us/research/people/jwinn/).

The_Russian_Kerbrute_003
Microsoft

The same format for the Jones Walker company (https://www.joneswalker.com/en/professionals/index.html).

The_Russian_Kerbrute_004
Jones Walker

For MIT it’s even the first letters of first and given names followed by a surname – FGSurname@mit.edu.  (https://web.mit.edu/directory/?id=cajones&d=mit.edu&ln=Jones&gn=Caroline).

The_Russian_Kerbrute_005
MIT
  1. Harvesting

Ok, we defined the core statutes. But what’s further?

As you may see from the previous section, the surname (last name) is the main part of the corporate login. The first name is not so interesting due to the only char, so we do not even have to know the real name – we will add just a letter before or after the surname.

Consequently, the next toughest and the most important phase at the same time is we have to collect the surnames data.

It’s an Internet age so let’s google a little – “Russian surnames”.

The_Russian_Kerbrute_006
Google -> Russian surnames

40 surnames – not so much especially when there are more than 200k different surnames in Russia. But when you dig a little bit deeper you may find several crucial moments.

The first is that all of the Russian surnames’ lists in … Russian. So, the first issue we faced is we have to transliterate the last names into English because of Active Directory does not understand any other languages except the last one.

The second problem is the spelling of the Russian female surname.  As you may see in many cases (not all) there is an additional “A” at the end. Just for example and to be clear, Smirnov is a man’s last name, Smirnova – woman’s.  In that case, the full amount of the Russian surnames is about 310 000. Impressive, isn’t it?

The_Russian_Kerbrute_007
Smirnov – Smirnova

It’s harvesting time. Having browsed the Internet, I have found the interesting source – https://woords.su/full-name/russian-surnames. It contains almost all Russian surnames. Let’s look at it.

The_Russian_Kerbrute_008
https://woords.su/full-name/russian-surnames (c)

Unfortunately, all of the surnames are in Russian (Google translate addon helped us). But the good news is there are female’s last names too so we do not have to perform additional transformation.

Ok, let’s get all of the surnames at first.

The_Russian_Kerbrute_009
curl https://woords.su/full-name/russian-surnames

Wow, that’s quite tough to read, but we have to. Let’s implement a little bash magic.

The_Russian_Kerbrute_010
curl -s https://woords.su/full-name/russian-surnames | grep “” | sed ‘s/</td>/</td>n/g’ | sed ‘s/</tr>/</tr>n/g’ | sed ‘s/</a>//g’ | sed ‘s/</tr>//g’ | sed ‘s/</td>//g’ | awk -F “>” ‘{print $NF}’

Excellent. The last thing we have to do is to go to each page, get the information and write it down to the file. Overall, we have 1593 pages, the link is https://woords.su/full-name/russian-surnames/page-1593.

The_Russian_Kerbrute_011
https://woords.su/full-name/russian-surnames/page-1593 (c)

Let’s modify our previous script to get all of the surnames.

The_Russian_Kerbrute_012
for pagenum in {1..1593};do curl -s https://woords.su/full-name/russian-surnames/page-$pagenum | grep “” | sed ‘s/</td>/</td>n/g’ | sed ‘s/</tr>/</tr>n/g’ | sed ‘s/</a>//g’ | sed ‘s/</tr>//g’ | sed ‘s/</td>//g’ | awk -F “>” ‘{print $NF}’ >> lastnames.txt; done

It took 34 minutes and 13 seconds to parse all of the surnames. Let’s check what we’ve got.

The_Russian_Kerbrute_013
wc -l; tail

318076 last names. Pretty one harvest. What’s next?

 

  1. Transliteration

The next stuff we have to do is to transliterate gotten surnames from Russian into English. We have at least 2 possible ways: to write our own script or find related mechanism in the internet. I preferred to follow the second way and found a great web-site – https://translit.cc/

All we have to do is just copy/past our dictionary, click the button and wait for a while.

The_Russian_Kerbrute_014
https://translit.cc

We got it. Now let’s save it into the new file.

That’s quite inconvenient to use uppercase so the next step is transforming all the letters into lowercase.

The_Russian_Kerbrute_015
cat lastnames_en.txt | tr ‘[:upper:]’ ‘[:lower:]’ > lastnames_en2.txt

I have already had my own dictionary which consists of more than 30k surnames collected by the real AD pentests. So, the last thing we should do is to combine them into the one big file.

The_Russian_Kerbrute_016
cat; sort -u; wc -l
  1. Customizing

Ok, we have a huge dictionary with more than 333,5k surnames. Is it enough to start testing the AD? In some cases – yes, but generally – no.

As I mentioned earlier, the most famous pattern for the corporate username in the world is FLastname aka iglinkin@corporate.local. In that case we have to add a name letter before our surnames.

First of all, let’s generate a simple dictionary with the letters. We may even create that manually.

The_Russian_Kerbrute_017
cat one_letter.txt

Do not be surprised about the sequence 🙂 It’s Russian alphabet transliterated into English.

The next step is adding each letter before each surname – what can be easier?

The_Russian_Kerbrute_018
for name in $(head one_letter.txt); do for surname in $(head lastnames_en.txt); do echo $name$surname; done ;done

The full usernames list will consist of 9 004 770 logins. Can you imagine that?

Similarly, you may create your own dictionary for the particular purpose.

  1. Afterword

Using that universal dictionary you may create plenty of penetration testing attacks, including, but not limited:

  1. Kerbrute attack;
  2. Email password spray attack;
  3. Email spam attack (please, do not do it 🙂
  4. If the company has a specific email configuration, you may perform an email enumeration (when you got a respond that the email could not reach the server or something like that).

For your convenience, I created a new branch in my GitHub account – https://github.com/IvanGlinkin/Dics-for-Russian-AD. There is the full Russian surnames dictionary with more than 333,5k lines used in the current article and another related and useful lists. You are free to get and use them for your legal particular purposes (not for criminal aims) as well as adding additional surnames absented in the list.


About the Author

Ivan Glinkin

1611302717263

7+ years combined operational work experience in penetration tests of enterprise networks and web application, physical social engineering and escalating the privileges.

As a member of the Enterprise Security and Risk Team, I conduct enterprise wide security risk assessments by infiltrating its systems and breach its physical perimeters. This highlights gaps in the organization’s technical security that require fixing as well as being involved in executing the security awareness plan.

Knowledge of Bash Scripting, PHP, SQL, Python and C-based program languages allows me to create my own applications for automation and optimization company’s security.

Passed both the CEH knowledge-based MCQ and the CEH Practical exam on 92,8% and 90% respectively allowed me to become the TOP 10 in the World Global Ethical Hacking LeaderBoard!

I am the offensive security and my goal does not end at gaining full access – that is only a starting point.

=====

Feel free to ping me by one of these ways:☑ https://www.linkedin.com/in/ivanglinkin☑ https://www.facebook.com/i.glinkin☑ ivan.o.glinkin@gmail.com

 

click here to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: