File krb5-enum-users
Script types:
portrule
Categories:
auth, intrusive
Download: http://nmap.org/svn/scripts/krb5-enum-users.nse
User Summary
Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will responde using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.
The script should work against Active Directory and ? It needs a valid Kerberos REALM in order to operate.
Script Arguments
krb5-enum-users.realm
this argument is required as it supplies the script with the Kerberos REALM against which to guess the user names.
passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb
See the documentation for the unpwdb library.Example Usage
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
Script Output
PORT STATE SERVICE REASON 88/tcp open kerberos-sec syn-ack | krb5-enum-users: | Discovered Kerberos principals | administrator@test | mysql@test |_ tomcat@test
Requires
Author: Patrik Karlsson
License: Same as Nmap--See http://nmap.org/book/man-legal.html