Skip to main content

Kerberos Pre-Auth Username Enumeration

How it Works

We can send a request for a TGT --- without a pre-authentication hash --- to the Kerberos Key Distribution Center (KDC) with specific usernames in the request. If the username is valid, the KDC will prompt us for pre-authentication if required, or return a TGT if pre-authentication is not required. If the username is invalid, the KDC will respond with PRINCIPAL UNKNOWN.

Enumeration

Kerbrute

https://github.com/ropnop/kerbrute

Deduplicate and Save a List of Usernames to Spray at the KDC

cat /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt | tr '[:upper:]' '[:lower:]' | sort -u > kerberos_users.txt

Use Kerbrute to Enumerate Valid Usernames

kerbrute userenum -d domain.tld --dc dc-ip-here -t 100 -o kerbrute.log ./kerberos_users.txt

Nmap

nmap is not multi-threaded and does not have good memory management when using large word lists

domain_controller=dc1.domain.tld
domain='domain.tld'
username_list='/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
nmap -Pn -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=$domain,userdb=$username_list $domain_controller
Back to top