Kerbrute validates usernames through Kerberos without needing a password.
It is useful when we have a naming pattern but no credentials.
Some domains expose public assets where you may be able to harvest potential usernames/emails. Think "About Us" pages on websites. If you figure out the naming pattern you might use a tool such as AD-Username-Generator and run the lists with kerbrute. Some examples of naming formats can be:
- "first.last@dom.local"
- "f.last@dom.local"/ "
- "flast@dom.local"
- etc.
Common service names may be:
- "svc_sql"
- "sql_svc"
- "sqlsvc"
- etc.
Kerbrute also does not increment the account lockout counter (as long as you're not password spraying).
Prepare
Set variables:
export DC=10.10.10.200
export DOMAIN=ootw.local
Confirm Kerberos is reachable:
nc -vz $DC 88
Create a candidate list:
cat > users.txt <<'EOF'
alice.wright
ben.carter
chloe.morris
dylan.brooks
eva.patel
frank.hughes
grace.miller
henry.king
helpdesk.one
svc_legacy
svc_sql
svc_web
svc_backup
EOF
Enumerate
kerbrute userenum -d $DOMAIN --dc $DC users.txt -o kerbrute-users.txt
Success:
VALID USERNAME: alice.wright@ootw.local
Extract clean names:
grep 'VALID USERNAME' kerbrute-users.txt |
awk '{print $NF}' |
cut -d@ -f1 |
sort -u > confirmed-users.txt
Username Patterns
Generate common corporate formats:
cat names.txt | awk '{print tolower(substr($1,1,1)$2)}' > firstinitial-last.txt
cat names.txt | awk '{print tolower($1"."$2)}' > firstname.lastname.txt
cat names.txt | awk '{print tolower($1"_"$2)}' > firstname_lastname.txt
cat names.txt | awk '{print tolower($1)}' > firstname.txt
cat *.txt | sort -u > users.txt
Where names.txt contains:
Alice Wright
Ben Carter
Detection
Defenders look for:
- Security 4768 with invalid users
- Security 4771 for Kerberos preauthentication failures
- many Kerberos requests from one source
- username patterns tested rapidly
- process execution of Kerbrute on endpoints
Remediation
- monitor Kerberos username enumeration patterns
- enforce consistent alerting for invalid user bursts
- reduce public leakage of naming conventions
- avoid predictable service account names where possible
- require MFA for exposed authentication paths