Script krb5-enum-users

Script types: portrule
Categories: auth, intrusive

Script Summary

Discovers valid usernames by brute force querying likely usernames against a Kerberos service. When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the user name was invalid. Valid user names will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, signaling that the user is required to perform pre authentication.

The script should work against Active Directory and ? It needs a valid Kerberos REALM in order to operate.

Script Arguments


this argument is required as it supplies the script with the Kerberos REALM against which to guess the user names.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

Example Usage

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'

Script Output

88/tcp open  kerberos-sec syn-ack
| krb5-enum-users:
| Discovered Kerberos principals
|     administrator@test
|     mysql@test
|_    tomcat@test



  • Patrik Karlsson

License: Same as Nmap--See