Kerberos: Enumerating Domain Usernames
Enumerating domain account names
Welcome to a technical blog post for Penetration Testers by our Principal Security Consultant, Matt Byrne.
In recent years, enumerating valid operating system level user names from up-to-date, well maintained Windows environments – even from an internal test perspective, has become increasingly unlikely.
Where RID cycling once provided a full list of domain users, this is no longer the case.
However, for internal assessments, the Kerberos service (88/tcp) still provides happy hunting ground for enumerating domain account names.
Username enumeration is leveraged via the following Kerberos error codes:
User Status | Kerberos Error |
Present/Enabled | KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required |
Locked/Disabled | KDC_ERR_CLIENT_REVOKED - Clients credentials have been revoked |
Does not exist | KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database |
Several good tools have been around for a while, allowing us to leverage these Kerberos responses to identify valid or invalid domain accounts.
Two of the tools I used until recently are provided by Patrik Karlsson. The first is the standalone Java tool Krbguess. The second is krb5-enum-users NSE script for nmap:
Krbguess
Usage:
Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]
krb5-enum-users NSE Script for nmap
Usage:
Nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]
Leveraging Kerberos within the Metasploit Framework
Like most Penetration Testers, I’m a heavy user of the Metasploit Framework. Having the ability to leverage the Kerberos functionality within the framework has appealed to me for years.
For whatever reason it never seems to have been implemented, so I decided to try and implement it myself.
Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template, the process was a lot simpler than I had anticipated.
The new Metasploit auxiliary module can be found in the following location:
As with the Kerberos enumeration tools discussed previously, three values should be provided:
- Domain Name (DOMAIN)
- Domain Controller IP (RHOST)
- User list (USER_FILE)
The module can now be run to enumerate valid (and disabled/locked) domain accounts via the Kerberos service:
Thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database for retrieval using the ‘creds’ command:
