Password spray attempt increase badPwd counter by 2

ropnop / kerbrute

A tool to perform Kerberos pre-auth bruteforcing

Apache License 2.0

2.57k stars 415 forks source link

Password spray attempt increase badPwd counter by 2 #58

Open nxferns opened 1 year ago

nxferns commented 1 year ago

Hi,

When using this tool I noticed that the badPwdCount counter increases by 2 on each password spray attempt against a user. Could you please confirm if this is a bug?

I've attached a screenshot which compares the results to cme.

bmilliron67 commented 1 year ago

I can confirm this. I have a very unhappy client who got a lot of locked out accounts because of this. I did a packet capture that shows 2 AS-REQs for 1 test account per run of the tool. I made 2 captures 1 for a good password and 1 for a bad password. Both show 2 AS-REQs. Again there is only one account being tested here. goodpass

good

badpass

bad

Alcqua commented 8 months ago

The issue is within the function ASExchange from library gokrb5. The function SendToKDC is called twice, because first, it tries to authenticate with AES128 then with AES256 encryption algorithm.

If you want a quick and dirty workaround, comment out the lines starting from 43 to 53.