Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

Kerbrute User Enumeration

Kerbrute validates usernames through Kerberos without needing a password.

It is useful when we have a naming pattern but no credentials.

Some domains expose public assets where you may be able to harvest potential usernames/emails. Think "About Us" pages on websites. If you figure out the naming pattern you might use a tool such as AD-Username-Generator and run the lists with kerbrute. Some examples of naming formats can be:

Common service names may be:

  • "svc_sql"
  • "sql_svc"
  • "sqlsvc"
  • etc.

Kerbrute also does not increment the account lockout counter (as long as you're not password spraying).


Prepare

Set variables:

export DC=10.10.10.200
export DOMAIN=ootw.local

Confirm Kerberos is reachable:

nc -vz $DC 88

Create a candidate list:

cat > users.txt <<'EOF'
alice.wright
ben.carter
chloe.morris
dylan.brooks
eva.patel
frank.hughes
grace.miller
henry.king
helpdesk.one
svc_legacy
svc_sql
svc_web
svc_backup
EOF

Enumerate

kerbrute userenum -d $DOMAIN --dc $DC users.txt -o kerbrute-users.txt

Success:

VALID USERNAME: alice.wright@ootw.local

Extract clean names:

grep 'VALID USERNAME' kerbrute-users.txt |
  awk '{print $NF}' |
  cut -d@ -f1 |
  sort -u > confirmed-users.txt

Username Patterns

Generate common corporate formats:

cat names.txt | awk '{print tolower(substr($1,1,1)$2)}' > firstinitial-last.txt
cat names.txt | awk '{print tolower($1"."$2)}' > firstname.lastname.txt
cat names.txt | awk '{print tolower($1"_"$2)}' > firstname_lastname.txt
cat names.txt | awk '{print tolower($1)}' > firstname.txt
cat *.txt | sort -u > users.txt

Where names.txt contains:

Alice Wright
Ben Carter

Detection

Defenders look for:

  • Security 4768 with invalid users
  • Security 4771 for Kerberos preauthentication failures
  • many Kerberos requests from one source
  • username patterns tested rapidly
  • process execution of Kerbrute on endpoints

Remediation

  • monitor Kerberos username enumeration patterns
  • enforce consistent alerting for invalid user bursts
  • reduce public leakage of naming conventions
  • avoid predictable service account names where possible
  • require MFA for exposed authentication paths