bruteforce

1. Kerberos brute-force no domain accounts required; just connectivity to KDC (DC) Kerberos pre-auth errors not logged in AD as normal logon failure (event 4625) but as specific Kerberos pre-auth failure (event 4771) will increment failed login counts Kerberos indicates whether username is correct regardless of correct/incorrect password good for: brute-forcing user:pass combos or single user against wordlist enumerating usernames password spraying against userlist possible to discover accounts w/o pre-auth requirements which is useful for ASREPRoast attacks NOTE: a brute-force attack is always susceptible to being detected and blocked, hence, should be used with care....