Kerbrute is a powerful open-source tool designed for penetration testers and security researchers to interact with Kerberos authentication in Active Directory (AD) environments. It excels at tasks like user enumeration, password spraying, and brute-forcing, making it a staple in red team engagements and vulnerability assessments. One of the most common questions surrounding Kerbrute is whether its operations can lead to account lockouts, especially in environments with strict security policies.
The short answer is yes Kerbrute can trigger account lockouts in certain modes, but it depends heavily on the specific command used and the target’s lockout policy. Kerberos pre-authentication failures, which Kerbrute exploits for its attacks, count as failed login attempts in Active Directory. This means that brute-force or spraying operations increment the bad password count, potentially locking accounts if thresholds are met. Understanding these mechanics is essential for both attackers testing defenses and defenders configuring policies.
In this comprehensive guide, we’ll explore Kerbrute’s functionality, how its modes interact with AD lockout policies, and strategies to mitigate risks. Whether you’re a security professional evaluating tools or an admin hardening your environment, this article provides actionable insights into Kerbrute’s impact on account security.
What is Kerbrute and How Does It Work?
Kerbrute, developed by Ronnie “ropnop” Flathers, is a Go-based tool that performs Kerberos pre-authentication bruteforcing against Active Directory domains. It targets the Kerberos Distribution Center (KDC) on port 88 to validate usernames and attempt authentications without generating traditional Windows logon events.
The tool’s efficiency comes from leveraging Kerberos pre-authentication requirements. When a user requests a Ticket Granting Ticket (TGT), the KDC demands pre-auth data (like a timestamp encrypted with the user’s password hash). Kerbrute sends crafted requests to check validity, making it faster than traditional methods.
Kerbrute supports multiple modes, each with different risk levels for lockouts. It includes features like multi-threading, delay options, and a safe mode to control impact. Security teams often use it to simulate attacks and test detection rules.
Key Features of Kerbrute
Kerbrute stands out for its speed and low noise compared to tools like Impacket or Rubeus. It can handle large user lists and common passwords efficiently. The tool logs results clearly and supports output files for further analysis.
Installation and Basic Usage
Installing Kerbrute is straightforward—download pre-compiled binaries from GitHub or build from source. Basic commands include specifying the domain and domain controller IP. Users often pair it with wordlists from tools like CeWL or SecLists.
Why Kerbrute is Popular in Penetration Testing
Its stealthy nature and ability to enumerate users without triggering obvious alerts make it a favorite. Penetration testers use it to map AD environments quickly before escalating attacks.
Understanding Kerberos Pre-Authentication Failures
Kerberos pre-authentication is a security feature that requires clients to prove knowledge of a user’s password before receiving a TGT. Failed attempts generate Event ID 4771 on the domain controller, logging “Kerberos pre-authentication failed.”
These failures increment the badPwdCount attribute on user accounts. Active Directory uses this count to enforce lockout policies, typically after 5-10 failures within a reset period. Unlike NTLM failures (Event ID 4625), pre-auth failures are less visible in standard logs.
Kerbrute exploits this mechanism by sending invalid pre-auth data, triggering failures that count toward lockouts. Defenders must monitor Event ID 4771 for anomalies, as it indicates potential bruteforce activity.
How Pre-Auth Failures Differ from Standard Logons
Standard logons use protocols like NTLM or LDAP, generating different events. Kerberos pre-auth failures are specific to KDC interactions, often evading basic monitoring.
Impact on Account Lockout Policies
Most organizations set lockout thresholds (e.g., 5 attempts in 30 minutes). Kerbrute’s rapid attempts can exceed these quickly in brute-force modes.
Event IDs Generated by Kerbrute Operations
Successful authentications log Event ID 4768 (TGT requested). Failures log 4771. These events are critical for detection.
Kerbrute Modes That Can Trigger Lockouts
Kerbrute’s modes vary in risk. The userenum mode is safe, while others increment bad password counts. Understanding each mode helps assess lockout potential.
Passwordspray Mode
This mode tests one password against many users, a classic spraying technique to avoid lockouts. However, Kerbrute’s documentation warns: “this does will increment the failed login count and lock out accounts.”
With default policies (e.g., lock after 5 failures), spraying a few passwords across thousands of users can still lock accounts if the list is large.
- Use low attempt counts per password.
- Add delays with –delay flag.
- Monitor for lockouts during testing.
Bruteforce Mode
Bruteforce mode tests username:password combos from a file. This is high-risk, as multiple wrong passwords per user quickly trigger lockouts.
Bruteuser Mode
This targets a single user with a password list. It’s the most dangerous mode, often locking the target account rapidly.
Kerbrute Modes That Do Not Trigger Lockouts
Some modes are designed to be safe. User enumeration is the prime example.
Userenum Mode
Userenum validates usernames without sending passwords. It sends TGT requests without pre-auth, checking for “PRINCIPAL_UNKNOWN” errors. No badPwdCount increment occurs.
This mode is ideal for initial reconnaissance without disruption.
Safe Mode Feature
Kerbrute includes a –safe flag that aborts operations if any account returns locked. This prevents widespread lockouts.
- Enable with –safe.
- Useful in passwordspray or bruteforce.
- Some forks suggest semi-safe modes for multiple lockouts.
Delay and Thread Controls
Use –delay to space attempts, reducing lockout risk. Lower –threads for stealth.
Factors Influencing Lockout Risk with Kerbrute
Lockout likelihood depends on AD configuration and tool settings.
Active Directory Lockout Policies
Default policies lock after 5-10 failures, resetting after 30 minutes. Fine-Grained Password Policies (FGPP) can vary per user.
Number of Attempts and Users Targeted
Spraying 1-2 passwords across 10,000 users might lock a few if policies are strict.
Domain Controller Logging and Detection
Event ID 4771 spikes can alert defenders. Tools like Securonix detect Kerbrute patterns.
Mitigations in Kerbrute Itself
Flags like –safe and –delay help control impact.
Detection and Mitigation Strategies for Kerbrute Attacks
Defenders can detect and block Kerbrute activity effectively.
Monitoring Kerberos Event Logs
Focus on Event ID 4771 for failures. Look for spikes from one IP.
Implementing Strong Account Lockout Policies
Enforce lockouts after low thresholds. Use FGPP for sensitive accounts.
Network Segmentation and Access Controls
Restrict KDC access. Use firewalls to limit port 88 exposure.
Behavioral Analytics and SIEM Rules
Tools detect anomalous pre-auth failures. Alert on high failure rates.
Best Practices for Using Kerbrute Safely
Ethical users must minimize disruption.
Always Use Safe Mode When Possible
Enable –safe to halt on lockouts.
Test in Controlled Environments First
Use labs to understand impact before production.
Coordinate with Client Teams
Inform stakeholders of potential lockouts during testing.
Combine with Other Tools for Comprehensive Assessments
Pair with userenum-safe tools for enumeration.
Conclusion
Kerbrute is a versatile tool for Kerberos testing, but it can indeed trigger account lockouts in passwordspray, bruteforce, and bruteuser modes by incrementing failed login counts through pre-auth failures. Userenum mode remains safe. By understanding AD policies and using features like safe and delay, users can minimize risks. Defenders should monitor Event ID 4771, enforce strong lockout thresholds, and deploy anomaly detection to counter these attacks effectively.