Kerbrute – Tool to Perform Kerberos pre-auth Bruteforcing

Kerbrute is a tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.

Kerbrute - Tool to Perform Kerberos pre-auth Bruteforcing
Kerbrute – Tool to Perform Kerberos pre-auth Bruteforcing

Kerbrute has three main commands:

  • bruteuser – Bruteforce a single user’s password from a wordlist.This is a traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy.
  • bruteforce – Read username:password combos from a file or stdin and test them. It will skip any blank lines or lines with blank usernames/passwords.
  • passwordspray – Test a single password against a list of users. Kerbrute will perform a horizontal brute force attack against a list of domain users. This is useful for testing one or two common passwords when you have a large list of users.
  • usernenum – Enumerate valid domain usernames via Kerberos. To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on.

A domain (-d) or a domain controller (--dc) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.

By default, Kerbrute is multithreaded and uses 10 threads. This can be changed with the -t option. Output is logged to stdout, but a log file can be specified with -o. By default, failures are not logged, but that can be changed with -v.

Lastly, Kerbrute has a --safe option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments