Kerbrute stands out as a robust open-source command-line utility crafted for brute-forcing and enumerating Active Directory accounts via Kerberos pre-authentication protocols. Created by security researcher Ronnie Flathers, known as @ropnop on GitHub, this Go-based tool delivers blazing-fast performance in identifying valid usernames and testing credentials without relying on slower methods like SMB or LDAP queries. Cybersecurity professionals leverage Kerbrute during penetration testing engagements to map out domain user bases, simulate password spraying campaigns, and expose weak configurations in enterprise environments dominated by Microsoft Active Directory. Its appeal lies in the minimal network footprint single UDP packets per attempt making it stealthier than traditional tools while still generating detectable artifacts for blue teams to hunt.
Organizations face escalating threats from credential abuse in Active Directory setups, where Kerberos serves as the backbone for ticket-based authentication across Windows domains. Kerbrute exploits nuances in Kerberos AS-REQ exchanges, where invalid users trigger “KRB-ERROR: PRINCIPAL UNKNOWN” responses, and valid ones prompt pre-auth data, all without immediate lockouts in userenum mode. Penetration testers integrate it into red team operations for rapid reconnaissance, often chaining outputs with tools like CrackMapExec or BloodHound for deeper exploitation paths. Recent analyses from Securonix in 2025 highlight its persistence in real-world attacks, urging defenders to monitor anomalous patterns in domain controller logs.
Kerberos Authentication Basics
How Kerberos Works in Active Directory
Kerberos v5 protocol orchestrates secure authentication in Active Directory realms through symmetric key cryptography and time-sensitive tickets. Clients initiate AS-REQ to the Authentication Service (AS) within the KDC for a TGT, embedding a salted password hash-derived key. Upon validation, the AS issues an encrypted TGT valid for about 10 hours, renewable up to the maximum ticket lifetime configured via Group Policy. Subsequent TGS-REQ exchanges yield service tickets for resource access, enforcing mutual authentication where services validate client identities via the TGT. This three-way handshake AS, Ticket Granting Service (TGS), and service minimizes credential transmission, reducing exposure in hybrid cloud-on-premises setups.
Domain controllers hosting KDC roles process thousands of daily requests, logging successes via Event ID 4768 and failures as 4771 when auditing is enabled under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration. Pre-authentication mandates clients prove password knowledge upfront using PA-ENC-TIMESTAMP, thwarting offline dictionary attacks unless explicitly disabled per user via UserAccountControl flags like UF_DONT_REQUIRE_PREAUTH (0x400000). Modern deployments favor AES-256-CT-SHA1 over legacy RC4-HMAC for etype negotiation, aligning with Microsoft’s deprecation timeline pushing beyond 2025.
Attackers target AS exchanges for reconnaissance, as Kerbrute crafts minimal AS-REQ packets over UDP/88 or TCP, parsing KRB-ERROR tags for principal validation without full handshakes.
Key Components of Kerberos Protocol
Core entities include the client principal (user@REALM), KDC split into AS and TGS, and service principals (SPNs like host/dc.domain.com). Symmetric keys derive from user NTLM hashes via PBKDF2 with 16-byte salts (unicode uppercase username), enabling replay protection via timestamps and nonces within 5-minute skew tolerances. Tickets encapsulate session keys, PAC structures with user SIDs/groups, and authorization data, signed by the KDC for integrity.
Encryption suites evolve: DES obsolete since Windows Server 2008, RC4 phased out by 2025 per NIST guidelines, prioritizing AES-CMAC. Realm trusts extend cross-domain access, with unconstrained delegation (TRUSTED_FOR_DELEGATION) posing lateral movement risks. Nonce and padata fields in AS-REQ facilitate etype info requests (KRB5KDC_ERR_PREAUTH_REQUIRED), crucial for Kerbrute’s differentiation logic.
Protocol messages adhere to RFC 4120, with extensions like FAST for armored pre-auth against pass-the-ticket abuse, increasingly audited in enterprise baselines.
Common Kerberos Vulnerabilities
Weak master keys from default krbtgt hashes enable Golden Ticket forgeries lasting 10 years, mitigated by Microsoft’s 2025 rotation recommendations. AS-REP roasting exploits preauth-disabled users (GetNPUsers.py or Rubeus asreproast), yielding crackable hashes offline via Hashcat on GPUs. Silver Tickets forge TGS without KDC interaction, while Kerberoasting targets SPN-registered service accounts with RC4-weak keys.
Disabled pre-auth on user objects, queryable via PowerShell Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}, invites enumeration floods. Legacy etypes allow downgrade attacks (–downgrade in Kerbrute), forcing arcfour-hmac-md5. Insufficient log retention obscures spikes, with Event IDs 4769 (TGS requested) and 4624 (successful logon) overlooked in noisy environments.
Over-permissive delegation flags like RESOURCE_BASED_CONSTRAINED_DELEGATION amplify post-compromise persistence.
Core Features of Kerbrute Tool
Multithreading and Performance Optimization
Kerbrute defaults to 10 concurrent threads (-t 10), saturating UDP/88 bandwidth for 1000s of requests per second on gigabit links, outpacing Python Impacket scripts by 5-10x due to Go’s goroutines. Adjust via -t flag, capping at network limits to evade IDS rate-limiting; recent v1.0.3 adds –delay ms for paced ops, inserting jitter between AS-REQ bursts.
Cross-compilation yields static binaries (e.g., kerbrute_linux_amd64), no dependencies beyond glibc, enabling air-gapped drops. Benchmarks from HackingArticles.in show 500 users enumerated in under 5 seconds against Windows Server 2022 DCs.
Go’s net.Dialer handles async I/O, minimizing latency in hybrid IPv4/IPv6 domains.
Safe Mode and Lockout Prevention
–safe flag monitors KRB-ERROR responses for SMARTCARD_REQUIRED or CLIENT_REVOKED status (indicating lockouts), halting runs to preserve testing integrity. Critical for passwordspray/bruteuser, where bad passwords increment badPwdCount against Fine-Grained Password Policies (thresholds like 5 fails/15min).
Verbose -v logs lockout indicators: “Account Locked Out” via error code 0x19 parsing. Raxis pentesters recommend combining with domain password policy queries (netexec smb dc –pass-pol) for thread/delay tuning.
Prevents accidental DoS in engagements, auto-aborting on first locked principal.
Output and Logging Capabilities
- Timestamped verbose logs: -v details KDC responses, etypes offered (e.g., aes256-cts-hmac-sha1-96).
- Hash capture in brute modes: –hash-file saves AS-REP roasts for JohnTheRipper.
- Stdin support: Pipe wordlists dynamically, e.g., wfuzz -c 1 -w names.txt | ./kerbrute userenum.
GitHub issues highlight -o appending mode for resumable scans.
How Kerbrute Performs User Enumeration
The Userenum Command Explained
./kerbrute userenum –dc dc-ip -d domain.com users.txt sends unauthenticated AS-REQ (PA-NONE), distinguishing invalids (KDC_ERR_C_PRINCIPAL_UNKNOWN) from valids (KDC_ERR_PREAUTH_REQUIRED). No bad login counts accrue, safe for large lists (e.g., /usr/share/wordlists/dirb/common.txt or statistically-likely-usernames repo).
Specify –dc 10.10.10.10 or auto-resolve via DNS SRV _kerberos._udp.domain.com. Threshold -r 50% skips noisy responses below confidence.
HackTheBox forums note 90%+ accuracy on Windows Server 2019+.
Practical Usage Scenarios
Pentesters seed users.txt from OSINT (LinkedIn scrapes, HaveIBeenPwned), hunting 20-30% hit rates in mid-sized domains. Chain with nmap -p 88,389 –script krb5-enum-users; Securonix 2025 report details real breaches starting here.
In CTFs like TryHackMe AttacktiveDirectory, enumerate 50+ users in seconds, feeding evil-winrm logins. RaxisOne X post praises low-footprint for internal pivots post-phish.
Combine outputs with ldapsearch for group membership recon.
Advanced Enumeration Techniques
Target AS-REP roasters by filtering preauth-disabled: kerbrute userenum –dc dc –no-preauth users.txt. DNS mode resolves multiple KDCs (–dc-all) for HA clusters.
- Pipe from rpcclient enumdomusers or windapsearch for hybrid sprays.
- Custom realms via -d sub.domain.com for child domains.
- IPv6 support auto-negotiates ::53 lookups.
2025 updates include LDAPS fallback, per @sikumy SpearSpray inspirations.
Password Spraying and Brute-Force Attacks with Kerbrute
Passwordspray Command Overview
./kerbrute passwordspray –dc dc -d domain users.txt Summer2025! tests one password across all users, spacing attempts >lockout window (e.g., 1/min per policy). Horizontal attack evades vertical brute thresholds, ideal for leaked commons like Password123 from breaches.
Triggers 4768/4771 logs; –safe aborts on lockouts. Raxis benchmarks: 1200 users in 6s, but throttle -t 1 –delay 1000 for opsec.
Common payloads: CompanyName1!, Welcome2025 per rockyou2024 stats.
Bruteuser and Bruteforce Modes
bruteuser targets singles: ./kerbrute bruteuser –dc dc -d domain targetuser passwords.txt. bruteforce parses combos from stdin/file (user:pass\n), stdin piping from wfuzz.
- Risk mitigations: –safe, low -t, monitor 4771 spikes.
- Hash exports: Captures AS-REP for offline cracking (hashcat -m18200).
- Etype forcing: –downgrade rc4 for legacy DCs.
Event IDs 4768 (request), 4771 (fail), 4624 (hit); X posts warn of SIEM anomalies.
Best Practices for Ethical Testing
Obtain ROE specifying no lockouts; query policy first (net user /domain policyuser). Distribute over days with –delay randomization.
- Wordlist curation: rockyou + custom (Season!Year), from OSINT leaks.
- Proxy chaining: tsocks or proxychains for external tests.
- Post-spray chaining: Valid creds to BloodHound Sharp for paths.
HackTricks.xyz outlines PSO-aware spraying, avoiding admin OUs.
Comparison with Other Kerberos Tools
Kerbrute vs. Rubeus
Rubeus (C# .NET) thrives natively on Windows for ticket manipulation (asktgt, harvest, triage), supporting overpass-the-hash and S4U. Kerbrute edges in cross-platform speed/portability, no AV hits on Linux pivots; lacks ticket ops but excels recon.
Rubeus verbose triage monitors 4768 realtime; Kerbrute minimal deps (single binary) suit Cobalt Strike beacons. Per Medium 2025 posts, Kerbrute 3x faster enum.
Kerbrute vs. Impacket Scripts
Impacket (Python) GetNPUsers.py/GetUserSPNs.py offers ASREProast/Kerberoast with secretsdump integration, but slower multithreading and pip deps. Kerbrute Go efficiency shines headless; Impacket versatiler for DCSync.
No Python REPL needed; GitHub forks note Kerbrute evades EDR better sans interpreters. 2025 comparisons favor Kerbrute initial recon, Impacket exploitation.
When to Choose Kerbrute
Prioritize for UDP-speed enum in time-boxed pentests; fallback Rubeus monitored domains. Pair with NetExec (CrackMapExec successor) for SMB confirmation.
X threads (@DirectoryRanger) highlight Kerbrute’s blind-spot exploitation vs. logged NTLM tools.
Detection and Mitigation Strategies for Kerbrute Attacks
Monitoring Kerberos Event Logs
Enable Kerberos auditing (Group Policy: Audit Kerberos Authentication Service); baseline 4768 (TGT req, FailureReason=0x17 unknown principal) and 4771 (preauth fail) volumes. Sigma rules flag >200 4771/min from one src IP, or 4768:4771 ratios >95% fails across users (Securonix UEBA).
SIEM queries: index=win logs | stats dc(EventID) by SrcIP | where EventID IN (4768,4771) > threshold. Splunk analytics correlate non-existent principals (Status 0xC0000064).
Hunt AS-REQ floods via Zeek Kerberos logs (krb5 records).
Implementing Strong Security Policies
Enforce 14+ char passwds via Fine-Grained PSOs (priority admin OUs), 10+ bad attempts/15min lockouts. Audit/eliminate preauth-disabled: Get-ADUser -Filter * -Prop DoesNotRequirePreAuth | ?{$_.DoesNotRequirePreAuth}.
Disable RC4 (SupportedEncryptionTypes 24 decimal), mandate AES256. LAPS rotates local admins; PTA blocks legacy auth.
2025 MS baselines: Protected Users group for DA, no delegation.
Network and Behavioral Defenses
Segment KDC ports (88/UDP-TCP, 445/SMB) via firewalls, rate-limit 10 reqs/sec/src. EDR blocks unsigned binaries (AMSIsScanBuffer Rubeus, proc creation kerbrute.exe); behavioral: anomalous UDP/88 from workstations.
Deception: Canary tokens on enum wordlists; Zscaler/ZTNA proxies Kerberos. XSecuronix posts detail ML baselines flagging sprays.
Conclusion
Kerbrute revolutionizes Active Directory pentesting by accelerating Kerberos-based user enumeration and credential assaults with unmatched efficiency and portability. Its Go architecture, safe modes, and precise command suite userenum, passwordspray, bruteuser equip red teams to mirror advanced persistent threats, exposing brittle authentication postures ripe for exploitation.