Kerberos Domain Username Enumeration

Advania - Kerberos Domain Username error
Posted On
Written by
Duration of read
2  min
Share Article
Subscribe via email

Kerberos: Enumerating Domain Usernames

Enumerating domain account names

Welcome to a technical blog post for Penetration Testers by our Principal Security Consultant, Matt Byrne.

In recent years, enumerating valid operating system level user names from up-to-date, well maintained Windows environments – even from an internal test perspective, has become increasingly unlikely.

Where RID cycling once provided a full list of domain users, this is no longer the case.

However, for internal assessments, the Kerberos service (88/tcp) still provides happy hunting ground for enumerating domain account names.

Username enumeration is leveraged via the following Kerberos error codes:

User Status
Kerberos Error
Present/Enabled
KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
Locked/Disabled
KDC_ERR_CLIENT_REVOKED - Clients credentials have been revoked
Does not exist
KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database

Several good tools have been around for a while, allowing us to leverage these Kerberos responses to identify valid or invalid domain accounts.

Two of the tools I used until recently are provided by Patrik Karlsson. The first is the standalone Java tool Krbguess. The second is krb5-enum-users NSE script for nmap:

Krbguess

Usage:

Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]

krb5-enum-users NSE Script for nmap

Usage:

Nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]

Leveraging Kerberos within the Metasploit Framework

Like most Penetration Testers, I’m a heavy user of the Metasploit Framework. Having the ability to leverage the Kerberos functionality within the framework has appealed to me for years.

For whatever reason it never seems to have been implemented, so I decided to try and implement it myself.

Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template, the process was a lot simpler than I had anticipated.

The new Metasploit auxiliary module can be found in the following location:

As with the Kerberos enumeration tools discussed previously, three values should be provided:

  • Domain Name (DOMAIN)
  • Domain Controller IP (RHOST)
  • User list (USER_FILE)

 

The module can now be run to enumerate valid (and disabled/locked) domain accounts via the Kerberos service:

Thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database for retrieval using the ‘creds’ command:

References and further reading

cqure.net KrbGuess

Nmap File krb5 enumerate users

Rapid7 Microsoft Kerberos Checksum Validation Vulnerability 

Sign up to receive insights from our experts

Get the latest news and developments from Advania delivered to your inbox

Other blog articles that might interest you

Driven by client success

We’re proud to work with the some of the most ambitious and innovative organisations.

Sign up to receive insights from our experts

Get the latest news and developments from Advania delivered to your inbox.