# User Enumeration

Kerberos responds differently to an AS‑REQ depending on whether the requested username exists in the domain. This behaviour allows attackers to **enumerate valid usernames without performing full authentication attempts**. Unlike traditional brute‑force methods, this approach does not generate the standard Windows logon failure event (Event ID 4625), because the authentication process does not reach the stage where a logon attempt is formally recorded. Instead, the username is validated by sending a **single UDP request** to the KDC and analysing the response. User enumeration is typically performed by sending AS‑REQ messages without pre‑authentication data.

| Kerberos Error                  | User Status     |
| ------------------------------- | --------------- |
| KDC\_ERR\_PREAUTH\_REQUIRED     | Present/Enabled |
| KDC\_ERR\_CLIENT\_REVOKED       | Locked/Disabled |
| KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Does not exist  |

**This process does not increment failed logon counters and therefore does not cause account lockouts**. In most environments, it also generates minimal logging, although if advanced Kerberos auditing is enabled, Event ID 4768 may still be recorded. This technique is commonly automated with tools such as [Kerbrute](https://github.com/ropnop/kerbrute), which streamlines username enumeration and password spraying using Kerberos protocol behaviour.

{% code overflow="wrap" %}

```shell
# Enumerate usernames via Kerberos
kerbrute userenum users.txt --dc dc01.marvel.local -d marvel.local > kerberos-username-enum.txt

# Extract the domain users
 cat kerberos-username-enum.txt | awk 'NR>12 {if (prev) print prev; prev=$7}' > kerberos-username-enum-cleaned.txt
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://x7331.gitbook.io/boxes/tl-dr/active-directory/attacks/user-enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.