Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh β†’ Shuffle β†’ TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  • πŸ“ You already have:
  • πŸ” What is it?
  • 🧰 Tool: kerbrute
  1. Active Directory Attack Lab: Recon-to-Root
  2. Reconnaissance Phase

5. Kerberos Username Enumeration

You're now moving into Kerberos username enumeration using kerbrute.

πŸ“ You already have:

Domain name: megachange.nyx βœ…

DC IP: 192.168.10.4 βœ…

πŸ” What is it?

You’re trying to find valid usernames in a Windows domain using the Kerberos protocol β€” without needing a password.

This is helpful for:

  • AS-REP Roasting

  • Kerberoasting

  • Password spray/brute-force attacks

🧰 Tool: kerbrute

It asks the Domain Controller (DC): "Hey, does this username exist?"

If the DC replies in a certain way, that means the username is valid β€” without triggering account lockout πŸš«πŸ”’

πŸ–₯️ Example Command:

bashCopyEdit./kerbrute userenum --dc 192.168.10.4 -d megachange.nyx /path/to/userlist.txt

πŸ” What each part means:

  • ./kerbrute β†’ runs the tool (assuming you're in the same folder)

  • userenum β†’ tells it to do username enumeration

  • --dc 192.168.10.4 β†’ IP of the Domain Controller

  • -d megachange.nyx β†’ the Domain Name (from LDAP)

  • /path/to/userlist.txt β†’ a list of usernames to try

πŸ“ Output:

kerbrute will show the valid username:

[+] VALID USERNAME: alfredo@megachange.nyx

βœ… Summary in 1 Line:

You use kerbrute to check which usernames exist in a Windows domain by asking the Kerberos service, without needing any password.

Previous4. LDAP Anonymous Bind CheckNext6. Password Brute Force via SMB Login

Last updated 25 days ago