diff --git a/lib/metasploit/framework/login_scanner/ldap.rb b/lib/metasploit/framework/login_scanner/ldap.rb
index 3adff7d8a92ad..51b144bb8c67d 100644
--- a/lib/metasploit/framework/login_scanner/ldap.rb
+++ b/lib/metasploit/framework/login_scanner/ldap.rb
@@ -58,6 +58,13 @@ def each_credential
             # so make sure that whatever it is, we end up with a Credential.
             credential = raw_cred.to_credential
 
+            if (opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::KERBEROS && opts[:ldap_krb5_cname]) ||
+               opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::SCHANNEL
+              # If we're using kerberos auth with a ccache or doing schannel auth then the password is irrelevant
+              # Remove it from the credential so we don't store it
+              credential.private = nil
+            end
+
             if credential.realm.present? && realm_key.present?
               credential.realm_key = realm_key
             elsif credential.realm.present? && realm_key.blank?
diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb
index 9f86c47a20776..3d96176ea3272 100644
--- a/lib/msf/core/auxiliary/auth_brute.rb
+++ b/lib/msf/core/auxiliary/auth_brute.rb
@@ -27,6 +27,7 @@ def initialize(info = {})
       OptBool.new('DB_ALL_PASS', [false,"Add all passwords in the current database to the list",false]),
       OptEnum.new('DB_SKIP_EXISTING', [false,"Skip existing credentials stored in the current database", 'none', %w[ none user user&realm ]]),
       OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", false]),
+      OptBool.new('ANONYMOUS_LOGIN', [ true, "Attempt to login with a blank username and password", false])
     ], Auxiliary::AuthBrute)
 
     register_advanced_options([
diff --git a/modules/auxiliary/scanner/ldap/ldap_login.rb b/modules/auxiliary/scanner/ldap/ldap_login.rb
index 94e7786bf968d..8fca2fa78564c 100644
--- a/modules/auxiliary/scanner/ldap/ldap_login.rb
+++ b/modules/auxiliary/scanner/ldap/ldap_login.rb
@@ -57,7 +57,7 @@ def run_host(ip)
       username: datastore['USERNAME'],
       password: datastore['PASSWORD'],
       realm: datastore['DOMAIN'],
-      anonymous_login: false,
+      anonymous_login: datastore['ANONYMOUS_LOGIN'],
       blank_passwords: false
     )
 
@@ -71,7 +71,9 @@ def run_host(ip)
       ldap_cert_file: datastore['LDAP::CertFile'],
       ldap_rhostname: datastore['Ldap::Rhostname'],
       ldap_krb_offered_enc_types: datastore['Ldap::KrbOfferedEncryptionTypes'],
-      ldap_krb5_cname: datastore['Ldap::Krb5Ccname']
+      ldap_krb5_cname: datastore['Ldap::Krb5Ccname'],
+      # Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
+      kerberos_ticket_storage: kerberos_ticket_storage({ read: false, write: true })
     }
 
     realm_key = nil
diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
index c7a638295fe86..f33cc51eccb00 100644
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -87,7 +87,8 @@ def run_host(ip)
           framework: framework,
           framework_module: self,
           cache_file: datastore['Smb::Krb5Ccname'].blank? ? nil : datastore['Smb::Krb5Ccname'],
-          ticket_storage: kerberos_ticket_storage
+          # Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
+          ticket_storage: kerberos_ticket_storage({ read: false, write: true })
         )
       end
     end