Kerberos stands as one of the most prevalent network authentication protocols in enterprise environments, especially within Microsoft Active Directory (AD) deployments. Originally developed by MIT in the 1980s, Kerberos provides secure, ticket-based authentication that avoids sending plaintext passwords over the network. It operates on the principle of mutual authentication between clients, servers, and a trusted third party known as the Key Distribution Center (KDC). In modern Windows domains, Kerberos serves as the primary authentication mechanism, replacing older protocols like NTLM in most scenarios. This widespread adoption makes understanding its inner workings essential for both offensive and defensive security practitioners.
Despite its robust design, Kerberos contains subtle behaviors that can be exploited for reconnaissance. One of the most powerful tools for exploiting these behaviors is Kerbrute, a lightweight, high-performance utility written in Go by Ronnie Flathers (known in the community as @ropnop). Kerbrute specializes in interacting with Kerberos services to enumerate valid usernames and conduct password attacks with minimal noise. Unlike conventional brute-force tools that hammer login endpoints and trigger account lockouts, Kerbrute takes advantage of specific Kerberos error messages and response patterns. This allows attackers to silently build lists of valid accounts before escalating to more aggressive techniques.
This article dives deep into the technical mechanisms behind Kerbrute’s Kerberos enumeration capabilities. We will explore how it crafts requests, interprets KDC responses, leverages pre-authentication mechanics, and executes various attack modes. Security professionals, penetration testers, and blue-team defenders alike will gain valuable insight into why Kerbrute remains a staple in modern AD attack chains and how organizations can detect and mitigate its usage effectively.
Understanding Kerberos Pre-Authentication
Kerberos pre-authentication is an optional but highly recommended security feature that prevents an attacker from obtaining encrypted Ticket-Granting Tickets (TGTs) for offline cracking. When pre-authentication is enabled (the default in modern AD environments), a client must prove knowledge of the user’s password before the KDC issues a TGT. This proof comes in the form of an encrypted timestamp (or other pre-auth data) included in the initial Authentication Service Request (AS-REQ).
If pre-authentication is disabled for a user account via the “Do not require Kerberos preauthentication” flag—the KDC will issue a TGT even if the client provides no pre-auth data. This results in an AS-REP containing the encrypted TGT, which can then be extracted and cracked offline using tools like Hashcat. This attack is famously known as AS-REP roasting. Kerbrute exploits both scenarios to enumerate accounts without needing valid credentials.
Pre-authentication failures generate Windows Event ID 4771 on domain controllers, while successful TGT requests produce Event ID 4768. Kerbrute is designed to avoid excessive 4771 events during enumeration by interpreting the KDC’s response to a “no pre-auth” request. This makes it exceptionally stealthy compared to traditional login attempts that would flood the environment with Event ID 4625 (failed logon) events.
In practice, many organizations still have legacy accounts with pre-authentication disabled, creating a persistent attack surface. Attackers use Kerbrute to quickly identify these accounts and harvest crackable TGTs.
How Kerbrute Sends TGT Requests for Enumeration
Kerbrute begins its enumeration process by crafting specially designed Kerberos AS-REQ messages. These requests intentionally omit any pre-authentication data (such as an encrypted timestamp). The tool specifies the target domain, a username from a wordlist, and the service principal name (SPN) for the KDC (usually krbtgt/domain.com).
When the KDC receives this request:
- If the username is invalid, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (error code 6).
- If the username is valid and pre-authentication is required, the KDC responds with KRB5KDC_ERR_PREAUTH_REQUIRED (error code 25), prompting the client to retry with pre-auth data.
- If the username is valid and pre-authentication is disabled, the KDC returns a full AS-REP containing the encrypted TGT.
Kerbrute interprets the “preauth required” response as a strong indicator of a valid account. This behavior is consistent across all modern Windows domain controllers and allows reliable enumeration without ever submitting a password.
Kerbrute’s implementation is multithreaded by default, enabling it to test thousands of usernames per minute against a single domain controller. The tool automatically discovers KDCs via DNS SRV records (e.g., _kerberos._tcp.dc.domain.com) or allows manual specification with the –dc flag.
Kerbrute’s User Enumeration Mode Explained
Kerbrute’s userenum command is the primary entry point for Kerberos username enumeration. It requires only three main arguments: the domain name, a wordlist file, and optionally the domain controller IP or hostname.
The tool sends parallel AS-REQ messages and processes responses in real time. Valid usernames are logged to stdout or a file, while invalid ones are silently discarded. The command supports several useful flags:
- –safe stops enumeration if a locked account is detected.
- -v enables verbose output showing every request and response.
- –user-as-pass attempts the username as the password (useful for default credential checks).
- –no-preauth forces enumeration only on accounts without pre-authentication enabled.
Performing Password Spraying with Kerbrute
Password spraying is a low-and-slow technique that tests a small number of common passwords against a large number of valid usernames. The goal is to avoid triggering account lockout thresholds that are typically set to 5–10 failed attempts per account.
Kerbrute’s passwordspray command takes a user list, a single password (or a short list), and the domain. It attempts authentication for each user sequentially or in parallel, depending on the –threads setting. Successful authentications are logged with the corresponding username and password.
The tool is highly configurable:
- –safe aborts if any account is locked out.
- –delay adds sleep between attempts to evade detection.
- –hash allows spraying with NT hashes instead of plaintext passwords.
This mode is frequently used after enumeration to gain initial foothold with weak or seasonal passwords like “Summer2025”, “Welcome1”, or company-specific defaults.
Brute-Forcing Passwords Using Kerbrute Modes
Kerbrute provides two brute-force modes for more aggressive password attacks:
- bruteforce tests combinations from a username file and a password file (or stdin). This is horizontal brute-forcing across many accounts.
- bruteuser targets a single username with an entire password wordlist. This is vertical brute-forcing.
Both modes risk account lockouts because failed pre-authentication attempts are counted as bad password attempts by AD. However, Kerbrute includes safeguards:
- –safe stops on lockout detection.
- –hash uses NT hashes for authentication.
- –etype specifies encryption types (e.g., aes256-cts-hmac-sha1-96) for compatibility.
Additionally, Kerbrute can capture AS-REP hashes when pre-authentication is disabled, allowing offline cracking with tools like Hashcat. This makes it a dual-purpose tool for both enumeration and exploitation.
Detecting and Defending Against Kerbrute Attacks
Defending against Kerbrute requires a multi-layered approach. Start by enforcing pre-authentication for all accounts through Group Policy or PowerShell scripts. Regularly audit the “Do not require Kerberos preauthentication” flag using tools like BloodHound or PowerView.
On the detection side, monitor domain controllers for:
- High volumes of Event ID 4768 (successful TGT requests) from unusual sources.
- Spikes in Event ID 4771 (pre-auth failures) without corresponding 4625 events.
- Repeated AS-REQ messages to the krbtgt principal.
SIEM systems can correlate these events and generate alerts. Microsoft Defender for Identity and similar behavioral analytics tools are particularly effective at identifying Kerbrute-like patterns.
Network segmentation, strong password policies, and regular credential hygiene further reduce the attack surface. Finally, red-team exercises using Kerbrute help validate detection and response capabilities.
Conclusion
Kerbrute remains one of the most efficient and stealthy tools for Kerberos enumeration and initial access in Active Directory environments. Its ability to exploit pre-authentication behaviors allows attackers to silently map valid usernames and execute low-risk password attacks. By understanding its inner workings, defenders can implement targeted mitigations such as universal pre-authentication enforcement, robust logging, and behavioral monitoring. Mastering both the offensive and defensive perspectives of Kerbrute is crucial for maintaining strong security posture in modern enterprise networks.