kerbrute
kerbrute (2.4k β, 2020 πͺ¦) is a popular tool that can be used for username enumeration and for password spraying on Kerberos.
You can install it using:
$ go install github.com/ropnop/kerbrute@latest
Username enumeration π§: it use Kerberos Pre-Authentication to perform its enumeration. It generates event code 4768 (TGT request) instead of 4625 (login failure). It doesn't count towards account lockout.
$ kerbrute userenum -d domain --dc IP wordlist
$ kerbrute userenum -d domain --dc IP wordlist -o output.txt
$ grep + output.txt | cut -d ' ' -f8 | cut -d '@' -f1 > valid_users.txt
π If a user has no pre auth, their hash may be dumped, while we may have to manually investigate. Refer to AS-REP Roasting Attack.
Password Spraying π
$ kerbrute passwordspray -d domain --dc IP valid_users.txt mypassword
<may not work, use nxc/cme instead>