London: 020 0200 8142

Kerberos Domain Username Enumeration

Kerberos: Enumerating Domain Usernames

Ethical Hacking

Ethical Hacker

Enumerating domain account names

Welcome to a technical blog post for Penetration Testers by our Principal Security Consultant, Matt Byrne.

In recent years, enumerating valid operating system level user names from up-to-date, well maintained Windows environments – even from an internal test perspective, has become increasingly unlikely.

Where RID cycling once provided a full list of domain users, this is no longer the case.

However, for internal assessments, the Kerberos service (88/tcp) still provides happy hunting ground for enumerating domain account names.

Username enumeration is leveraged via the following Kerberos error codes:

User Status
Kerberos Error
Present/Enabled
KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
Locked/Disabled
KDC_ERR_CLIENT_REVOKED - Clients credentials have been revoked
Does not exist
KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database

Several good tools have been around for a while, allowing us to leverage these Kerberos responses to identify valid or invalid domain accounts.

Two of the tools I used until recently are provided by Patrik Karlsson. The first is the standalone Java tool Krbguess. The second is krb5-enum-users NSE script for nmap:

Krbguess

Usage:

Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]

 

 

 

 

Krbguess

Krbguess

krb5-enum-users NSE Script for nmap

Usage:

Nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]

Nmap krb5-enum-users NSE Script

Nmap krb5-enum-users NSE Script

Leveraging Kerberos within the Metasploit Framework

Like most Penetration Testers, I’m a heavy user of the Metasploit Framework. Having the ability to leverage the Kerberos functionality within the framework has appealed to me for years.

For whatever reason it never seems to have been implemented, so I decided to try and implement it myself.

Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template, the process was a lot simpler than I had anticipated.

The new Metasploit auxiliary module can be found in the following location:

auxiliary/gather/kerberos_enumusers

auxiliary/gather/kerberos_enumusers

As with the Kerberos enumeration tools discussed previously, three values should be provided:

  • Domain Name (DOMAIN)
  • Domain Controller IP (RHOST)
  • User list (USER_FILE)
matt-untitled

The module can now be run to enumerate valid (and disabled/locked) domain accounts via the Kerberos service:

run-module

Thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database for retrieval using the ‘creds’ command:

creds-command

References and further reading

cqure.net KrbGuess

Nmap File krb5 enumerate users

Rapid7 Microsoft Kerberos Checksum Validation Vulnerability 

We are Perspective Risk

  • Information security is crucial to every aspect of your business – operational efficiency, profitability, business continuity, customer confidence, brand loyalty, protection against fraud and meeting regulatory requirements.

    Our penetration testing, pen testing, pen tests and cyber security testing has proven time and time again to be an effective security assessment of business IT infrastructure.

    Perspective Risk provides in-depth security assessments, risk management and compliance solutions to help you keep your confidential information safe and your critical systems secure. We’re innovative, flexible and supportive, helping you through any information security issues to deliver real business benefits and excellent value.

  • Call Me

    Pop your details in below and we’ll be in touch soon!

    • This field is for validation purposes and should be left unchanged.

    ×
    Get Quote
    • This field is for validation purposes and should be left unchanged.
    ×