> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/enumeration/information-gathering-enumeration-active-directory.md).

# Active Directory

## Kerberos User Enumeration

Identify valid Active Directory usernames by leveraging differences in Kerberos TGT request responses for existing vs. non-existing users. The tool works by attempting to request a Kerberos TGT for a list of users. If the user exists and pre-authentication is required (which is the default setting for most user accounts), the KDC will respond with a `KRB5KDC_ERR_PREAUTH_REQUIRED` error. If the user does not exist, the KDC will respond with a `KDC_ERR_C_PRINCIPAL_UNKNOWN` error. This distinction allows Kerbrute to enumerate valid usernames without requiring valid credentials. Kerbrute leverages this difference in KDC responses for valid usernames when pre-authentication is required.

The basic command to perform user enumeration is as follows:

```bash
kerbrute userenum -d <domain> -w <wordlist>
```

This command requires a user list file (`<wordlist>`) and the target domain (`<domain>`). You can optionally specify the domain controller IP or hostname using `--dc <domain controller>`.

For example, using `userlist.txt` against the `spookysec.local` domain, targeting the DC explicitly:

```bash
kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt
```

This command requires a user list file (`userlist.txt`) and either the domain controller IP/hostname (`--dc`) or just the domain name (`-d`) if the DC is resolvable or specified via `--dc`. The output will indicate valid users by showing the `[+] Valid Username` message, corresponding to the `KRB5KDC_ERR_PREAUTH_REQUIRED` response.
