-
Notifications
You must be signed in to change notification settings - Fork 384
Kerberos brute command
skelsec edited this page Apr 12, 2021
·
4 revisions
Obtains a list of valid domain usernames via bruteforce. Basically it tries to perform authentication with usernames taken from a list (that you supply) and depending on the server's response it is able to tell whether the username exists or not.
The list of users can be in a file (one username per line) or can be set in a command line argument (at the end of the command). You may even mix the two.
Important: The expected format is <user>@<realm>
but you don't need to specify the target users using this format if you with, just the username is enough IF you also supply the -d <realm>
switch.
You will need the following things:
- IP/Hostname of the Kerberos server (the domain controller)
- The
Realm
eg. domain name - A list of usernames
None
-
-o
: Writes the result to a file -
-n
: Show negatives. This will print out usernames which do not exist but were in the list -
-d
:Realm
aka domain name
-
pypykatz kerberos brute 10.10.10.2 -d TEST.corp usernames.txt
: Verifies the usernames fromusername.txt
and prints the result to the command line. In this case theusernames.txt
only contains usernames without therealm
, as the-d <realm>
switch was used -
pypykatz kerberos brute 10.10.10.2 usernames.txt
: Verifies the usernames fromusername.txt
and prints the result to the command line. Be carefule, this means that theusernames.txt
file contains usernames in<user>@<realm>
format -
pypykatz kerberos brute 10.10.10.2 -d TEST.corp usernames.txt testuser
: Verifies the usernames fromusername.txt
and prints the result to the command line. Also this will try to check if[email protected]
exists or not