Categories: auth, intrusive
Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.
The script should work against Active Directory and ? It needs a valid Kerberos REALM in order to operate.
this argument is required as it supplies the script with the Kerberos REALM against which to guess the user names.
passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdbSee the documentation for the unpwdb library.
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
PORT STATE SERVICE REASON 88/tcp open kerberos-sec syn-ack | krb5-enum-users: | Discovered Kerberos principals | administrator@test | mysql@test |_ tomcat@test
License: Same as Nmap--See https://nmap.org/book/man-legal.html