How does kerbrute determine whether a domain user exists during enumeration?

Kerbrute sends an AS-REQ packet to the KDC and checks the error code in the response. If the user exists, it receives 'eRR-PREAUTH-REQUIRED (25)'; if the user does not exist, it receives 'eRR-C-PRINCIPAL-UNKNOWN (6)'. This is done without any prior credentials, allowing attackers to validate usernames from outside the domain.