Categories: auth, intrusive
Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.
The script should work against Active Directory and ? It needs a valid Kerberos REALM in order to operate.
this argument is required as it supplies the script with the Kerberos REALM against which to guess the user names.
- passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb
See the documentation for the unpwdb library.
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
PORT STATE SERVICE REASON 88/tcp open kerberos-sec syn-ack | krb5-enum-users: | Discovered Kerberos principals | administrator@test | mysql@test |_ tomcat@test
License: Same as Nmap--See https://nmap.org/book/man-legal.html