As professionals in the penetration testing world, it’s always exciting to see a simple, sharp tool put through its paces by someone with field experience. Andrew Trexler, a key member of Raxis’ elite penetration testing team, recently dropped a ground-level walkthrough of Kerbrute, one of the fastest ways to enumerate and brute force Active Directory (AD) accounts via Kerberos pre-authentication. For pentesters, both new and seasoned, Kerbrute deserves your attention if you’re assessing cloud or internal AD environments.

This post takes you through the why and the how of Kerbrute, outlining where it shines during a pentest.

Why Kerbrute Belongs in Your Toolkit

Let’s keep it real: Kerberos is everywhere in enterprise AD, and attackers know it. Enumeration via Kerberos pre-auth can yield a high-fidelity user list without bumping password counts or triggering basic alerting. This makes Kerbrute especially valuable when your goal is stealth, speed, and solid results during the recon phase.

Not to mention, it’s open-source, actively maintained, and simple to run.

Core Modes: Real-World Use Cases

userenum

The userenum mode lets you test thousands of usernames against a target AD domain rapidly to confirm which ones exist, all without risking account lockout, which is ideal for the early stages of an engagement.

Tips for Effective User Enumeration:

• Build your user list from public dumps (DeHashed), OSINT assets (LinkedIn). Tools like linkedin2username can automate that work.

• Kerbrute usually auto-finds your target DC, but use — dc to point to a specific domain controller if needed.

• Save your confirmed usernames with the -o flag for follow-up testing.

Sample command:

./kerbrute userenum -d [target_domain] [user_list.txt] - dc [DC_IP] -o [output.txt]

bruteforce

Want to quickly check if any default, simple, or previously breached passwords are in play? The bruteforce mode allows you to test username:password combos in bulk. Just be aware: each attempt does increment failed logins, so monitor domain policies to avoid lockouts.

• Use lists like username:username for common creds checks.

• Filter valid username output quickly with grep and awk.

Sample workflow:

cat [output.txt] | grep "\[+\] VALID USERNAME" | awk -F" " '{print $7}' | awk -F"@" '{print $1}' | sort -u > users-list-confirmed
cat users-list-confirmed | awk '{print $0":"$0}' > combo-list
./kerbrute bruteforce - dc [DC_IP] -d [Domain] combo-list

passwordspray

Password spraying is as simple as it gets: one password, many users. Kerbrute’s spray feature is fast, but be cautious as this method will lock accounts.

Sample command:

kerbrute passwordspray - dc [DC_IP] -d [Domain] [userlist.txt] [Password]

bruteuser

Targeting a single account with a list of possible passwords? The bruteuser mode is for you. This method is not common as it will lockout accounts quickly. Andrew advises using the the — safe flag to halt on lockouts once the first one occurs.

Pro Tips and Pitfalls

• Kerbrute’s results are neatly parsable. Automate with grep/awk for user extraction and combo list generation.

• While userenum mode won’t trigger lockouts, but brute-force and spray modes can flood logs and lock accounts. Target selection is key for staying under the radar.

• Valid users can power further attacks through tools like CrackMapExec, Impacket, or even for phishing pretexts.

Final Take

Kerbrute stands out because it does one thing very well: quick, accurate AD recon and attack surface mapping. It streamlines the recon-to-attack workflow, helping you deliver value fast during pentests, red teams, or even lab and CTF environments.

Andrew’s post is a solid reference if you’re picking up Kerbrute for the first time or aiming to refine your methodology. If you’re not already using it, add it to your scripts folder and see just how much ground you can cover before “touching” anything else in the domain.