ropnop
commented
5 years ago I definitely see the value in that, but I'm hesitant to add that kind of logic to kerbrute. In my opinion, it's better to keep the tool somewhat "dumb" and just test what it's explicitly told to.
But...that got me thinking of a better approach to this and I decided to add a new command to kerbrute that accepts username:password combinations from a file or from stdin. That way its really easy to generate a list of username:username combos and feed it to the tool to test (as well as any other password combinations you'd like). With stdin, you could feed a script directly to kerbrute and test for a wide variety of combinations and default passwords.
Check out this branch and tell me what you think: https://github.com/ropnop/kerbrute/tree/feature/test_combos
Would that satisfy your use case?
61106960
Every onsite pentest I have faced so far, at least a couple of users had been set with username=password. I think it could be helpful to add to the bruteuser module some kind of username=password.