Kerbrute stands out as a highly effective, open-source utility designed specifically for penetration testers and red teamers working in Active Directory environments. Developed in Go, this tool specializes in exploiting Kerberos pre-authentication behaviors to enumerate valid usernames, perform password spraying, and conduct brute-force attacks all while maintaining a low profile compared to traditional login attempts. Security professionals frequently turn to Kerbrute during internal network assessments because of its speed, cross-platform compatibility, and ability to avoid triggering obvious failed login alerts.
At its core, Kerbrute’s reliability comes from the predictable responses of the Key Distribution Center (KDC). When querying for usernames, the tool sends Ticket Granting Ticket (TGT) requests without pre-authentication data. Invalid usernames elicit a specific error (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN), while valid ones either require pre-authentication or return a TGT directly (if pre-auth is disabled). This deterministic behavior allows Kerbrute to confidently distinguish real accounts from nonexistent ones in most standard setups.
Despite these strengths, questions about accuracy persist among users. Factors such as domain policies, network latency, rate-limiting by the KDC, or unusual account configurations can occasionally lead to discrepancies in results. In this comprehensive guide, we’ll dive deep into how Kerbrute operates, examine real-world performance, explore potential sources of error, compare it to alternatives, and share proven techniques to maximize reliability. Whether you’re new to Kerberos attacks or a seasoned practitioner, you’ll gain a clearer understanding of when Kerbrute’s findings are trustworthy and how to refine them.
Understanding Kerbrute’s Core Mechanism
How Kerbrute Performs User Enumeration
Kerbrute initiates user enumeration by crafting AS-REQ packets without pre-authentication data. For non-existent usernames, the KDC responds with the KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN error code. Valid usernames, however, trigger a pre-authentication challenge (error KRB5KDC_ERR_PREAUTH_REQUIRED) or, in rare cases where pre-auth is disabled, return a usable TGT. This distinction forms the foundation of Kerbrute’s enumeration capability.
The tool logs these responses clearly, often marking valid users in green while noting invalid ones. It also generates Windows Event ID 4768 (Kerberos authentication ticket request) without incrementing failed login counters (Event ID 4625), enabling stealthy operations.
Why This Approach Yields High Accuracy
Kerberos protocol responses are highly standardized in Microsoft Active Directory implementations. The error codes are consistent across versions, from Windows Server 2008 onward. Kerbrute’s Go implementation parses these responses with minimal overhead, resulting in extremely low false-positive rates for user enumeration in clean, well-configured domains.
Penetration testers often report near-perfect results when using curated username lists from sources like LinkedIn, leaked dumps, or internal reconnaissance.
Common Outputs and Their Reliability
Typical output includes lines like “[+] VALID USER: username@domain.com“ for confirmed accounts and “[-] user does not exist” for invalid ones. The verbose flag (-v) provides additional details, such as exact error codes or network timeouts, allowing manual verification.
In practice, these outputs are reliable unless external factors interfere. Users can cross-check by re-running scans with different thread counts or verifying against other tools.
Key Factors Influencing Kerbrute Accuracy
Domain Configuration and Pre-Authentication Settings
Kerbrute performs best when pre-authentication is enforced for the majority of accounts. In such environments, the KDC’s responses are clear-cut. However, if many accounts have pre-auth disabled (a common misconfiguration), Kerbrute may still identify them but with varying response patterns. This can open doors for AS-REP roasting but slightly complicates pure enumeration.
Domains with custom policies or protected accounts may also alter KDC behavior, requiring testers to adapt their approach.
Network and Connectivity Issues
Network instability, high latency, or firewalls blocking UDP 88 (Kerberos) can cause incomplete responses or timeouts. Kerbrute interprets these as invalid users, leading to false negatives. In VPN or proxied setups, packet loss exacerbates this issue.
To mitigate, testers often specify the –dc flag to target a specific Domain Controller and reduce threads.
Threading and Performance Settings
The default of 10 threads balances speed and reliability. Higher thread counts accelerate scans but risk overwhelming the KDC, triggering rate-limiting or dropped packets. Lower threads improve accuracy in sensitive environments but extend runtime significantly.
Comparison with Other Tools
Compared to Python-based tools like Impacket’s GetNPUsers.py, Kerbrute is faster due to its compiled nature. GetNPUsers.py excels at AS-REP roasting but can be slower for large lists. Kerbrute’s focused design makes it preferable for quick enumeration tasks.
Potential for False Positives in Enumeration
Misconfigured Accounts and Special Cases
Accounts in protected groups (e.g., Domain Admins) or those with restricted policies may return unexpected errors. Kerbrute might incorrectly classify them as valid if the response deviates from the standard pattern.
Service accounts or those in trusted forests can also behave atypically, introducing minor inaccuracies.
Locked or Disabled Accounts
Kerbrute can detect locked accounts via specific error messages in some cases, but not reliably across all configurations. This leads to occasional false positives—accounts appear valid but are unusable.
Detection Evasion and Logging Variations
In environments with advanced monitoring or custom KDC logging, responses might differ subtly. Tools like Microsoft Advanced Threat Analytics or third-party SIEMs can influence behavior.
- Rely on verbose output to cross-check results.
- Run multiple scans with adjusted threads for consistency.
- Combine with LDAP queries for validation.
- Test on known accounts first to calibrate.
How Accurate Is User Enumeration in Practice?
Real-World Testing Scenarios
In lab environments and controlled penetration tests, Kerbrute consistently achieves 98-99%+ accuracy for user enumeration. Red teamers frequently validate thousands of accounts from OSINT sources with minimal false positives. Community reports on platforms like Reddit and GitHub confirm its dependability when domains follow standard configurations.
Edge Cases That Reduce Reliability
Large enterprise domains with hybrid Azure AD integration, thousands of users, or high-latency connections introduce noise. Rate-limiting or intermittent connectivity can cause missed valid accounts.
Custom policies or non-standard Kerberos setups (e.g., trusts) may also affect outcomes.
Mitigating False Positives
The –safe flag prevents lockouts by aborting on detected lockout responses. Verbose mode helps identify anomalies, while cross-checking with BloodHound or LDAP tools boosts confidence.
Accuracy of Password Spraying and Brute-Forcing
Mechanics of Password Attacks
Kerbrute’s passwordspray mode tests one password against many users, ideal for common weak credentials. The bruteuser mode targets a single user with a wordlist. Both increment bad password counters, risking lockouts.
Reliability in Identifying Valid Credentials
When a correct password is found, Kerbrute accurately saves TGTs or hashes. False positives are extremely rare due to the protocol’s validation. Successes are confirmed by successful authentication.
Risks and Limitations
The primary limitation is lockout risk—failed attempts count against policy thresholds. Aggressive spraying can trigger alerts or disable accounts.
- Use low thread counts to avoid detection.
- Incorporate delays for stealth.
- Test small subsets first.
- Monitor for lockouts during runs.
Comparing Kerbrute to Alternative Tools
Kerbrute vs. Impacket Scripts
Impacket’s GetNPUsers.py is excellent for AS-REP roasting and handling no-preauth accounts but slower for enumeration. Kerbrute wins in speed and pure user discovery.
Kerbrute vs. Rubeus
Rubeus provides extensive Kerberos features (e.g., Kerberoasting, ticket manipulation) but is Windows-only. Kerbrute’s Linux/macOS support makes it more accessible for diverse engagements.
Overall Accuracy Ranking
Kerbrute ranks among the top tools for enumeration accuracy and speed, especially in red team operations where quick, reliable recon is critical.
Best Practices for Maximizing Kerbrute Accuracy
Preparing Input Lists Effectively
Source usernames from reliable places: LinkedIn scraping, leaked credential dumps, or internal discovery. Remove duplicates and normalize formats to minimize noise.
Optimizing Tool Parameters
Use –dc to target specific DCs, adjust -t threads based on network conditions, and enable -v for debugging. The –safe mode is essential in production-like environments.
Cross-Verification Techniques
Validate Kerbrute results with LDAP queries (e.g., via ldapsearch or PowerView), NetExec, or BloodHound. Run scans multiple times for consistency.
Ethical and Legal Considerations
Kerbrute can disrupt operations if misused. Always secure written authorization, follow rules of engagement, and avoid aggressive spraying in live environments.
Additional Advanced Techniques and Considerations
Handling Large-Scale Enumeration
For domains with tens of thousands of potential users, split lists and run parallel scans. Monitor KDC logs for signs of rate-limiting.
Integrating with Other Tools
Pipe valid users into AS-REP roasting tools like GetNPUsers.py or CrackMapExec for password spraying. This creates a reliable workflow.
Monitoring for Changes in Accuracy Over Time
Domain policies evolve—periodic testing ensures continued reliability. Stay updated on Kerbrute releases, as the community occasionally addresses edge cases.
Community Insights and Limitations
GitHub issues and forums highlight rare false positives in non-standard setups, but overall feedback praises its precision. No major accuracy flaws have been reported in recent years.
Conclusion
Kerbrute remains one of the most accurate and efficient tools for Kerberos-based user enumeration and credential attacks in Active Directory environments. Its reliance on protocol-specific responses ensures high fidelity in standard configurations, with false positives being minimal and easily mitigated through best practices like verbose logging, safe mode, and cross-verification. While network issues, custom policies, or aggressive usage can introduce uncertainties, these are manageable with proper preparation. For ethical hackers and red teamers seeking reliable reconnaissance, Kerbrute continues to be an indispensable asset when applied responsibly.