Skip to content

Kerbrute

It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts.  This method does not generate Windows event ID 4625: An account failed to log on, or a logon failure which is often monitored for.

How it works?

Basically, the tool sends TGT requests to the domain controller without Kerberos Pre-Authentication to perform username enumeration. If the KDC responds with the error PRINCIPAL UNKNOWN, the username is invalid. Whenever the KDC prompts for Kerberos Pre-Authentication, this signals that the username exists, and the tool will mark it as valid.

This method of username enumeration does not cause logon failures and will not lock out accounts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Requirements: having Go installed
sudo git clone https://github.com/ropnop/kerbrute.git

# Typing make help will show us the compiling options available.
cd kerbrute
make help

# type make all and compile one each for use on Linux, Windows, and Mac systems (an x86 and x64 version for each).
sudo make all

# The newly created dist directory will contain our compiled binaries.
ls -la dist

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#############
# FOR LINUX
#############

# Add the tool to our PATH to make it accessible from anywhere in the host. For that we make sure first of the PATH
echo $PATH

# and then we move the binary to a path, for instance
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute



#############
# FOR WINDOWS
#############
# Copy the file to the windows pivoting machine
scp kerbrute_windows_amd64.exe username@$ip:~/

Basic commands

1
2
3
4
5
6
7
8
# User enumeration 
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
# -d: domain
# --dc: domain controller
# -o: output file

# Password spraying attack with kerbrute
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

However, using Kerbrute for username enumeration will generate event ID 4768: A Kerberos authentication ticket (TGT) was requested. Defenders can tune their SIEM tools to look for an influx of this event ID.

Last update: 2025-01-06
Created: November 17, 2024 21:05:00