I created a new Nmap script today that attempts to discover the Kerberos realm and the server time. It does this by sending an incorrect AS-REQ request to the server. The Microsoft implementation of Kerberos responds with an error packet containing the correct Realm name. On systems with other implementation, the server time alone is returned. The script works against both TCP and UDP. It’s available for download at the dedicated nmap-scripts page over here.