Skip to content

Add Kerberos AS-REQ user enumeration script #2079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add Kerberos AS-REQ user enumeration script #2079

wants to merge 3 commits into from

Conversation

@n3rada
Copy link
Contributor

@n3rada n3rada commented Nov 9, 2025

For simplicity, I thought it should belong here instead of among the wild 'kerbrute'-like tools.

This script performs user enumeration via Kerberos AS-REQ, allowing checks for username existence in Active Directory without triggering account lockouts (incrementing of badPwdCount), making it interesting for initial reconnaissance.

Use the names.withletters trick to create name.a, name.b variants:

awk '/^[[:space:]]*$/ {next} { gsub(/^[ \t]+|[ \t]+$/,""); for(i=97;i<=122;i++) printf "%s.%c\n", $0, i }' /usr/share/seclists/Usernames/Names/names.txt | tee /tmp/names.txt > /dev/null

It was tested on Windows Server 2019/2022, on hercules.htb.

Single user check:

asreqUserCheck.py hercules.htb -u 'fernando.r`
one

Batch enumeration with threading:

asreqUserCheck.py hercules.htb -usersfile /tmp/names.txt --threads 30
mulitple

The code is designed to be imported and used by other tools:

from impacket.examples.asreqUserCheck import kerberos_asreq_user_check

# Check a single user
result = kerberos_asreq_user_check("john.doe", "DOMAIN.LOCAL", "10.10.11.x")

# Returns structured dict:
# {
#     "username": "john.doe",
#     "exists": True,
#     "enabled": True,
#     "status": "valid",  # or "disabled", "invalid", "wrong_realm", "error"
#     "error": None,
#     "error_code": 25  # Kerberos error code
# }

if result["exists"] and result["enabled"]:
    print(f"[+] Valid user found: {result['username']}")

Could therefore be added in tool such as netexec.

n3rada added 2 commits November 9, 2025 17:40
@n3rada
Add Kerberos AS-REQ user enumeration script
3b3aa8f 
This script performs user enumeration via Kerberos AS-REQ, allowing checks for username existence in Active Directory without triggering account lockouts.
@n3rada
Refactor Kerberos user enumeration logic
ceb5787 
Refactor Kerberos user enumeration code for improved readability and structure. Introduce new functions for loading usernames, checking user status, and enumerating users with threading support.
@n3rada n3rada mentioned this pull request Nov 9, 2025
Open
13 tasks
@n3rada
Add author information to asreqUserCheck.py
9397849 
Added author information to the script header.
@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in review This issue or pull request is being analyzed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@n3rada @anadrianmanrique