Open in app

Sign in

Write

Sign in

Kerberos Domain Username Enumeration

Lime1O1
4 min readMar 12, 2022

welcome everybody,

I will explain in this article, How to make

( Kerberos Domain Username Enumeration )

using( nmap , metasploit , kerbrute )

I will explain this in my lab,

I will first create users on Active Directory, ( Explained with pictures )

This is some of my information so that some people don’t get distracted :

IP : 192.168.0.18

DOMAIN : working.local

users : [ dany1 , dany2 , dany3 , dany4 ]

First, I will create an Organizational Unit , it’s called {My_lab}

After creating the organizational unit, we will create users .

[ dany1 , dany , dany3 , dany4 ]

I will create the user dany1 with pictures and steps with pictures, but the rest of the users I will create without pictures, because they are the same steps

First Name , Last Name , Full Name : Not credentials, these are additional data that can not be used to log in

User Logon name : This is important, because we are logged in with it ,

After pressing the { Next > }button , Here, you have successfully created user [ dany1 ]

After that, I created other users as shown in the picture in the same way I did to create the user dany1 .

And now we built the lab , And we have prepared the users, to use the tools and make[ AD Users Enumeration ]

We will use this wordlist to guess as you can see the correct names at the end of the wordlist ..

We will now use the nmap tool to guess which users are in AD

[Kerberos Domain Username Enumeration using nmap ]

We will use this command :

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='working.local',userdb=users 192.168.0.18

Much more can be found here

As you can see, the nmap tool found us 4 users,Due to an error, I switched user dany2 to dany

users : [ dany , dany2 , dany3 , dany4 ]

Now we are going to use the metasploit tool to guess usernames .

msfconsoleuse auxiliary/gather/kerberos_enumusers set user_file /home/lime/Desktop/tools/AD/usersset rhosts 192.168.0.18set DoMAIN working.localexploit

As you can see we have 4 users

[ dany1 , dany , dany3 , dany4 ]

The last tool we will use to guess usernames is kerbrute .

We will use this command :

./kerbrute_linux_amd64 userenum -d working.local --dc 192.168.0.18  /home/lime/Desktop/tools/AD/users

As you can see we have 4 users

[ dany1 , dany , dany3 , dany4 ]

From here, I have finished, and I hope that I have been able to help someone, and I hope that you will like it…

Contact With Me :

Linkedin

Facebook

Active Directory
Labs
Ad
Server

--

--

Lime1O1

Written by Lime1O1

6 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams