-
Notifications
You must be signed in to change notification settings - Fork 410
Kerberos brute command
skelsec edited this page Apr 12, 2021
·
4 revisions
Obtains a list of valid domain usernames via bruteforce. Basically it tries to perform authentication with usernames taken from a list (that you supply) and depending on the server's response it is able to tell whether the username exists or not.
The list of users can be in a file (one username per line) or can be set in a command line argument (at the end of the command). You may even mix the two.
Important: The expected format is <user>@<realm> but you don't need to specify the target users using this format if you with, just the username is enough IF you also supply the -d <realm> switch.
You will need the following things:
- IP/Hostname of the Kerberos server (the domain controller)
- The
Realmeg. domain name - A list of usernames
None
-
-o: Writes the result to a file -
-n: Show negatives. This will print out usernames which do not exist but were in the list -
-d:Realmaka domain name
-
pypykatz kerberos brute 10.10.10.2 -d TEST.corp usernames.txt: Verifies the usernames fromusername.txtand prints the result to the command line. In this case theusernames.txtonly contains usernames without therealm, as the-d <realm>switch was used -
pypykatz kerberos brute 10.10.10.2 usernames.txt: Verifies the usernames fromusername.txtand prints the result to the command line. Be carefule, this means that theusernames.txtfile contains usernames in<user>@<realm>format -
pypykatz kerberos brute 10.10.10.2 -d TEST.corp usernames.txt testuser: Verifies the usernames fromusername.txtand prints the result to the command line. Also this will try to check if[email protected]exists or not