Enumerating Users with Kerbrute

Introduction

Kerbrute is a popular enumeration tool used to brute-force and enumerate valid active-directory users by abusing the Kerberos pre-authentication.

Abusing Pre-Authentication Overview

By brute-forcing Kerberos pre-authentication, you do not trigger the account failed to log on event which can throw up red flags to blue teams. When brute-forcing through Kerberos you can brute-force by only sending a single UDP frame to the KDC allowing you to enumerate the users on the domain from a wordlist.

Kerbrute Installation

  1. Download a precompiled binary for your OS - https://github.com/ropnop/kerbrute/releases

  2. Rename kerbrute_linux_amd64 to kerbrute

  3. chmod +x kerbrute - make kerbrute executable

Enumerating Users with Kerbrute

Enumerating users allows you to know which user accounts are on the target domain and which accounts could potentially be used to access the network.

  1. cd into the directory that you put Kerbrute

  2. Download the wordlist to enumerate with here

  3. ./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt - This will brute force user accounts from a domain controller using a supplied wordlist

PreviousKerberosNextEnumerating SPN Accounts with Powershell

Last updated