Skip to main content

Overview

Perform Kerberos-based password bruteforce attacks against domain accounts. This technique leverages Kerberos pre-authentication to test passwords without triggering traditional account lockout mechanisms in many configurations.
Password bruteforce attacks can trigger account lockouts and generate significant authentication logs. Use carefully in production environments.

Syntax

Rubeus.exe brute /passwords:PASSWORDS [targeting] [options]

Targeting Options

password
string
Single password to test against multiple users
passwords
string
File containing list of passwords to test
user
string
Single username to test against multiple passwords
users
string
File containing list of usernames to test

Optional Parameters

domain
string
Target domain (default: current domain)
dc
string
Domain controller to target
outfile
string
Output successful credentials to file
noticket
boolean
Don’t request TGT for valid credentials
verbose
boolean
Show failed authentication attempts

Examples

# Test single password against multiple users
Rubeus.exe brute /password:Password123! /users:C:\temp\users.txt

# Test multiple passwords against single user
Rubeus.exe brute /passwords:C:\temp\passwords.txt /user:admin

# Full matrix attack
Rubeus.exe brute /passwords:C:\temp\passwords.txt /users:C:\temp\users.txt

Attack Strategies

Low and Slow:
  • Test common passwords against many accounts
  • Avoid account lockout by testing few passwords
  • Focus on seasonal/company-specific passwords
Common Password Lists:
  • Password123!, Welcome123!, Summer2024!
  • Company name variations
  • Season + year combinations
  • Default passwords (admin, password, etc.)
High-Value Accounts:
  • Focus on administrative accounts
  • Service accounts with predictable passwords
  • Accounts with known password patterns
Intelligence-Driven:
  • Use OSINT for password hints
  • Company-specific terminology
  • Personal information from social media

Evasion and OpSec

Lockout Policy Awareness:
  • Understand domain lockout thresholds
  • Stay below lockout attempt limits
  • Implement delays between attempts
Safe Testing Strategies:
  • Test 1-2 passwords per account per day
  • Distribute attempts across time
  • Use multiple source IPs if possible
Timing Strategies:
  • Perform during business hours
  • Mimic normal authentication patterns
  • Implement random delays
Volume Management:
  • Limit total authentication attempts
  • Rotate target accounts
  • Monitor for defensive responses