Active Directory Security Tool
Kerbrute
A powerful tool for performing Kerberos pre-authentication brute-forcing and user enumeration in Active Directory environments
$ ./kerbrute userenum -d domain.local users.txt
[+] VALID USERNAME: admin@domain.local
[+] VALID USERNAME: user@domain.local
$
// WHAT IS KERBRUTE
Understanding Kerbrute
Kerbrute is a powerful, open-source security tool developed by ropnop and written in Go. It’s specifically designed to exploit weaknesses in Kerberos pre-authentication within Windows Active Directory environments, making it an essential tool for penetration testers and red team operators.
Unlike traditional brute-force tools that use SMB or LDAP protocols, Kerbrute communicates directly with the Key Distribution Center (KDC) over port 88. This approach is significantly faster and allows for user enumeration without triggering account lockouts — a critical advantage during security assessments.
How Kerbrute Works
Kerbrute exploits the fact that Kerberos returns different error codes for valid vs. invalid usernames before authentication occurs. When a valid username is submitted, the KDC responds with "KDC_ERR_PREAUTH_REQUIRED" (pre-authentication needed), while invalid usernames return "KDC_ERR_C_PRINCIPAL_UNKNOWN" (principal unknown). This distinction enables rapid user enumeration.
10K+
Users/Second
Zero
Lockouts (Enum)
MIT
Open Source
// KEY FEATURES
Powerful Features
Kerbrute provides a comprehensive toolkit for Kerberos-based security testing
User Enumeration
Rapidly discover valid Active Directory usernames without triggering account lockouts. Kerbrute analyzes Kerberos pre-authentication responses (KDC_ERR_PREAUTH_REQUIRED vs KDC_ERR_C_PRINCIPAL_UNKNOWN) to identify existing accounts at speeds of 10,000+ usernames per second.
Password Spraying
Test a single password against thousands of accounts simultaneously using the 'passwordspray' module. This technique minimizes detection risk while identifying accounts using common or weak passwords like 'Summer2024!' or 'CompanyName123'.
Brute Force Attacks
Execute targeted brute-force attacks against specific high-value accounts with the 'bruteuser' module. Customize thread counts, delays, and wordlists for optimal performance while respecting lockout thresholds.
Lightning Fast Performance
Built in Go with native goroutine concurrency, Kerbrute dramatically outperforms Python and Ruby alternatives. Multi-threaded architecture with configurable thread pools (-t flag) enables testing thousands of credentials per second.
Cross-Platform Support
Pre-compiled binaries available for Windows (x86/x64), Linux, and macOS. Zero dependencies required — just download and execute. Build from source using 'go build' or 'make' for custom deployments.
AS-REP Roasting Discovery
Automatically identify accounts with Kerberos pre-authentication disabled during enumeration. These vulnerable accounts can be exploited for offline password cracking using tools like Hashcat or John the Ripper.
// INSTALLATION
Get Started Quickly
Kerbrute is easy to install and requires no dependencies. Choose your preferred installation method below.
Download Pre built Binary
The easiest method - download the compiled binary for your OS
# Visit the releases page and download
# Windows: kerbrute_windows_amd64.exe
# Linux: kerbrute_linux_amd64
# macOS: kerbrute_darwin_amd64
Build from Source
Compile Kerbrute yourself using Go
git clone https://github.com/ropnop/kerbrute.git
cd kerbrute
go build -o kerbrute .
Go Install
Install directly using Go package manager
go install github.com/ropnop/kerbrute@latest
// USAGE EXAMPLES
Command Reference
Learn how to use Kerbrute with practical examples for different attack scenarios
User Enumeration
Enumerate valid usernames from a wordlist
Command
$ ./kerbrute userenum -d domain.local --dc 10.0.0.1 users.txt
Output
2024/01/15 10:30:00 > Using KDC(s):
2024/01/15 10:30:00 > 10.0.0.1:88
2024/01/15 10:30:01 > [+] VALID USERNAME: admin@domain.local
2024/01/15 10:30:01 > [+] VALID USERNAME: jsmith@domain.local
2024/01/15 10:30:02 > [+] VALID USERNAME: svc_backup@domain.local
2024/01/15 10:30:02 > Done! Tested 1000 usernames in 2.345 seconds
Password Spraying
Test one password across multiple users
Command
$ ./kerbrute passwordspray -d domain.local --dc 10.0.0.1 users.txt 'Winter2024!'
Output
2024/01/15 10:35:00 > Using KDC(s):
2024/01/15 10:35:00 > 10.0.0.1:88
2024/01/15 10:35:01 > [+] VALID LOGIN: jsmith@domain.local:Winter2024!
2024/01/15 10:35:02 > Done! Tested 500 logins in 1.876 seconds
Brute Force Single User
Test multiple passwords against a single user
Command
$ ./kerbrute bruteuser -d domain.local --dc 10.0.0.1 passwords.txt admin
Output
2024/01/15 10:40:00 > Using KDC(s):
2024/01/15 10:40:00 > 10.0.0.1:88
2024/01/15 10:40:05 > [+] VALID LOGIN: admin@domain.local:P@ssw0rd123
2024/01/15 10:40:05 > Done! Tested 5000 passwords in 5.432 seconds
Common Options
-d, --domain Target domain--dc Domain controller IP-t, --threads Number of threads-o, --output Output file path-v, --verbose Verbose output--safe Safe mode (no lockouts)// ATTACK MODES
Attack Types
Kerbrute supports multiple attack vectors for different penetration testing scenarios
- No account lockouts
- Very fast
- Stealthy
- Requires network access
- May be logged
- Avoids lockouts
- High success rate
- Slow
- Detectable
- Focused
- Fast
- Lockout risk
- Noisy
- Complete coverage
- Automated
- Very slow
- Risky
// USE CASES
Real World Applications
Kerbrute is used by security professionals across various industries and scenarios
Penetration Testing Engagements
Security consultants leverage Kerbrute during authorized penetration tests to rapidly enumerate valid AD users and identify accounts with weak passwords. It's typically used in the initial access phase to establish foothold credentials before lateral movement.
Red Team Operations
Advanced red teams use Kerbrute for stealthy credential attacks that simulate real-world adversaries. The tool's ability to perform user enumeration without lockouts mimics techniques used by APT groups like APT29 and FIN7.
Internal Security Assessments
Organizations proactively test their own Active Directory security posture using Kerbrute. This identifies weak passwords and policy violations before actual attackers can exploit them, supporting continuous security improvement.
Cybersecurity Training & Labs
Educational institutions and training providers use Kerbrute in controlled lab environments to teach Kerberos authentication concepts, attack methodologies, and defensive strategies. Popular in OSCP, HTB, and corporate training.
Bug Bounty Programs
When explicitly authorized and in-scope, bug bounty hunters may use Kerbrute techniques against enterprise targets. However, most public programs exclude Active Directory from scope — always verify authorization first.
Compliance & Audit Testing
Compliance auditors verify password policy enforcement by testing for commonly used passwords across the organization. This supports SOC 2, PCI-DSS, and HIPAA requirements for password complexity and management.
// PREREQUISITES
System Requirements
Ensure you meet these requirements before running Kerbrute
Network Access
Direct network connectivity to the target Domain Controller on port 88 (Kerberos)
Target Domain
Know the target Active Directory domain name (e.g., corp.local)
Wordlists
Username and/or password wordlists appropriate for the target organization
Time Sync
System clock should be synchronized with the domain (within 5 minutes)
Authorization Required
Only use Kerbrute against systems you have explicit written permission to test
Detection Risk
Modern SIEM and EDR solutions can detect Kerbrute activity. Plan accordingly.
// DEFENSE STRATEGIES
Detection & Prevention
Understanding how to detect and defend against Kerbrute-style attacks is crucial for blue team operations.
Smart Lockout Policies
Configure Azure AD Smart Lockout or on-prem fine-grained password policies. Set thresholds (e.g., 5 failures, 30-minute lockout) that balance security with user experience. Consider observation windows to prevent slow attacks.
Kerberos Traffic Monitoring
Deploy SIEM rules (Splunk, Sentinel) to detect anomalous AS-REQ volumes. Alert on Event IDs 4768 (TGT requests) and 4771 (pre-auth failures) from single sources. Normal users rarely generate 100+ requests per minute.
Enforce Pre Authentication
Audit all accounts for the 'Do not require Kerberos preauthentication' flag. Remove this setting from all users except those with documented exceptions. This prevents AS-REP Roasting attacks entirely.
Honeypot Accounts
Create decoy accounts with attractive names (e.g., 'admin_backup', 'svc_sql') that should never be used. Alert immediately on any authentication attempt. Any Kerbrute scan will hit these and trigger detection.
Azure AD Password Protection
Deploy Microsoft's password protection for on-prem AD. Blocks over 1 million known bad passwords and custom banned words. Prevents users from choosing passwords that Kerbrute attacks commonly test.
Regular Credential Audits
Proactively run authorized Kerbrute scans against your own environment quarterly. Identify weak passwords before attackers do. Combine with tools like Hashcat for comprehensive password policy testing.
// TOOL COMPARISON
How Kerbrute Compares
See how Kerbrute stacks up against other popular Active Directory testing tools
| Feature | Kerbrute | Rubeus | Hydra | CrackMapExec |
|---|---|---|---|---|
| Speed | Excellent | Good | Good | Moderate |
| User Enumeration | ✓ | ✓ | ✕ | ✓ |
| Password Spraying | ✓ | ✓ | ✓ | ✓ |
| Brute Force | ✓ | ✓ | ✓ | ✓ |
| Cross-Platform | ✓ | ✕ | ✓ | ✓ |
| Lockout Safe | ✓ | ✓ | ✕ | ✕ |
| Stealthy | ✓ | ✕ | ✕ | ✕ |
Why Choose Kerbrute?
Kerbrute excels in scenarios where speed and stealth are critical. Its Kerberos-native approach means user enumeration does not trigger traditional authentication logs, and proper usage avoids account lockouts entirely. The Go-based implementation ensures excellent performance across all platforms without dependencies.
// FREQUENTLY ASKED QUESTIONS
Kerbrute FAQ
Comprehensive answers to the most common questions about Kerbrute, Kerberos attacks, and Active Directory security
What is Kerbrute and what is it used for?
Kerbrute is an open-source security tool written in Go that exploits Kerberos pre-authentication to perform user enumeration and password attacks against Active Directory environments. It’s primarily used by penetration testers, red teamers, and security professionals during authorized security assessments to identify weak credentials and vulnerable accounts without triggering account lockouts.
Is Kerbrute legal to use?
Kerbrute is legal to use only when you have explicit written authorization from the organization that owns the target systems. Using Kerbrute against systems without permission is illegal and can result in criminal charges. Always ensure you have proper authorization, such as a signed penetration testing agreement, before using this tool.
How does Kerbrute avoid account lockouts?
Kerbrute exploits a behavior in Kerberos pre-authentication where the domain controller returns different error messages for valid vs. invalid usernames BEFORE the actual authentication attempt. This means user enumeration doesn’t increment the failed login counter. However, password spraying and brute-force attacks DO count as login attempts, so careful timing and password selection is crucial.
What is the difference between password spraying and brute force in Kerbrute?
Password spraying tests one password against many accounts (e.g., testing ‘Password123’ against 1000 users), which is stealthier and less likely to trigger lockouts. Brute force testing tries many passwords against a single account, which is faster but more likely to lock out that account. Choose based on your engagement objectives and the target’s lockout policies.
How do I install Kerbrute on my system?
Kerbrute can be installed in multiple ways: 1) Download pre-compiled binaries from the GitHub releases page for Windows, Linux, or macOS. 2) Build from source using ‘go get github.com/ropnop/kerbrute’ and ‘go build’. 3) Clone the repository and use ‘make’ to compile for multiple platforms. The binary is standalone and requires no additional dependencies.
What ports does Kerbrute use and do I need network access?
Kerbrute communicates with domain controllers over Kerberos (TCP/UDP port 88). You need direct network access to the target domain controller. This typically means you need to be on the internal network, connected via VPN, or have a pivot through a compromised host. Kerbrute cannot work through HTTP proxies.
How fast is Kerbrute compared to other tools?
Kerbrute is significantly faster than traditional tools like Hydra or Medusa because it’s written in Go with native concurrency support and uses the lightweight Kerberos protocol instead of SMB/LDAP. It can test thousands of usernames per second depending on network conditions. The -t flag controls thread count (default 10, can be increased for faster speeds).
What wordlists should I use with Kerbrute?
For user enumeration, use lists of common usernames, names from OSINT (LinkedIn, company website), or generated lists based on naming conventions (john.smith, jsmith, john_smith). For password spraying, use seasonally-relevant passwords (Summer2024!), company-related passwords, or common patterns. SecLists and the Probable Wordlists projects are excellent resources.
Can Kerbrute detect accounts with pre-authentication disabled?
Yes! When Kerbrute encounters an account that doesn’t require pre-authentication, it returns a different response. These accounts are vulnerable to AS-REP Roasting attacks where you can request an encrypted TGT and crack it offline. Use Kerbrute with tools like Rubeus or Impacket’s GetNPUsers.py to exploit these findings.
How can I make Kerbrute attacks more stealthy?
To increase stealth: 1) Reduce thread count with -t 1 or -t 2 for slower, less detectable attacks. 2) Use the –delay flag to add time between requests. 3) Spread password spraying across hours or days. 4) Avoid common passwords that might be in blocklists. 5) Target specific high-value accounts rather than the entire domain.
What are the main differences between Kerbrute and Rubeus?
Kerbrute is designed for external attacks (user enumeration and password testing) and runs on any platform. Rubeus is a Windows-only post-exploitation tool with broader Kerberos attack capabilities including ticket manipulation, Kerberoasting, and delegation attacks. They’re complementary: use Kerbrute for initial access/discovery and Rubeus once you have a foothold.
How do I defend my organization against Kerbrute attacks?
Defense strategies include: 1) Enable Kerberos logging (Event IDs 4768, 4771). 2) Monitor for high volumes of AS-REQ from single IPs. 3) Ensure all accounts require pre-authentication. 4) Implement smart lockout policies. 5) Use Azure AD Password Protection for on-prem AD. 6) Deploy honeypot accounts to detect enumeration. 7) Enforce strong, unique passwords.
What error messages does Kerbrute analyze?
Kerbrute analyzes KDC error codes: KDC_ERR_PREAUTH_REQUIRED means the user exists but needs pre-auth (valid user). KDC_ERR_C_PRINCIPAL_UNKNOWN means the user doesn’t exist. KDC_ERR_PREAUTH_FAILED means wrong password for a valid user. KDC_ERR_KEY_EXPIRED means the password is expired. Each error reveals information about the account status.
Can Kerbrute be used against Azure AD or cloud environments?
Kerbrute is designed for on-premises Active Directory using traditional Kerberos. It cannot directly attack Azure AD or Microsoft 365. For cloud environments, different tools and techniques are needed, such as password spraying against OAuth endpoints. However, hybrid environments with AD Connect may still be vulnerable through on-prem domain controllers.
What should I include in my Kerbrute penetration testing report?
Include: 1) Methodology used (enumeration, spraying, brute-force). 2) Number of valid usernames discovered. 3) Compromised credentials (sanitized). 4) Accounts without pre-auth enabled. 5) Evidence/screenshots of successful attacks. 6) Recommendations for remediation. 7) Risk ratings based on sensitivity of compromised accounts. 8) Detection gaps identified.