Skip to content

Kerberos brute command

skelsec edited this page Apr 12, 2021 · 4 revisions

What it does

Obtains a list of valid domain usernames via bruteforce. Basically it tries to perform authentication with usernames taken from a list (that you supply) and depending on the server's response it is able to tell whether the username exists or not.

Remarks

The list of users can be in a file (one username per line) or can be set in a command line argument (at the end of the command). You may even mix the two.
Important: The expected format is <user>@<realm> but you don't need to specify the target users using this format if you with, just the username is enough IF you also supply the -d <realm> switch.

Requirements

You will need the following things:

  • IP/Hostname of the Kerberos server (the domain controller)
  • The Realm eg. domain name
  • A list of usernames

Subcommands

None

Switches

  • -o: Writes the result to a file
  • -n: Show negatives. This will print out usernames which do not exist but were in the list
  • -d: Realm aka domain name

Examples

  • pypykatz kerberos brute 10.10.10.2 -d TEST.corp usernames.txt: Verifies the usernames from username.txt and prints the result to the command line. In this case the usernames.txt only contains usernames without the realm, as the -d <realm> switch was used
  • pypykatz kerberos brute 10.10.10.2 usernames.txt: Verifies the usernames from username.txt and prints the result to the command line. Be carefule, this means that the usernames.txt file contains usernames in <user>@<realm> format
  • pypykatz kerberos brute 10.10.10.2 -d TEST.corp usernames.txt testuser: Verifies the usernames from username.txt and prints the result to the command line. Also this will try to check if [email protected] exists or not
Clone this wiki locally