Enumerating Users with Kerbrute
Last updated
Last updated
Kerbrute is a popular enumeration tool used to brute-force and enumerate valid active-directory users by abusing the Kerberos pre-authentication.
By brute-forcing Kerberos pre-authentication, you do not trigger the account failed to log on event which can throw up red flags to blue teams. When brute-forcing through Kerberos you can brute-force by only sending a single UDP frame to the KDC allowing you to enumerate the users on the domain from a wordlist.
Download a precompiled binary for your OS - https://github.com/ropnop/kerbrute/releases
Rename kerbrute_linux_amd64 to kerbrute
chmod +x kerbrute
- make kerbrute executable
Enumerating users allows you to know which user accounts are on the target domain and which accounts could potentially be used to access the network.
cd
into the directory that you put Kerbrute
Download the wordlist to enumerate with
./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt
- This will brute force user accounts from a domain controller using a supplied wordlist