👤Enumerating Users
This guide covers various techniques for enumerating users in Active Directory environments, divided into methods that require credentials and those that don't.
Enumeration Without Credentials
NSrpcenum
NSrpcenum is a modified version of S4vitar's tool, renamed to differentiate it from the original rpcenum tool that supports credentials. This tool allows enumeration of the Domain Controller through the RPC protocol using a Null Session (without providing access credentials). It will only work if we have the appropriate permissions.
Repository: GitHub - s4vitar/rpcenum
NSrpcenum -e DUsers -i 10.10.10.10rpcclient (No Credentials)
Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). No credentials required.
for i in $(seq 1000 1500); do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}'Kerbrute Username Enumeration
Brute force user enumeration through Kerberos using a dictionary:
# Brute force users through Kerberos with a dictionary
kerbrute userenum --dc 10.10.10.10 -d domain.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
# Validate if users are valid at domain level with a list of possible users
kerbrute userenum --dc 10.10.10.10 -d domain.htb possible_users.txtNetExec with Guest User
nxc smb 10.10.10.10 -u 'guest' -p '' --rid-bruteNetExec Kerberos Enumeration Brute Force
Perform brute force attacks, similar to Kerbrute, to verify if a user is valid in the domain through Kerberos.
If the user exists:
KDC_ERR_PREAUTH_FAILEDmessage will appearIf the user doesn't exist:
KDC_ERR_C_PRINCIPAL_UNKNOWNmessage will appear
nxc ldap dc.domain.htb -u users.txt -p '' -kridenum
Repository: GitHub - trustedsec/ridenum
Rid_enum is a null session RID cycle attack for brute forcing domain controllers.
ridenum 10.10.10.10 500 10000 guest ''impacket-lookupsid (No Credentials)
# User enumeration with 'guest' user through lookupsid
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass
# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass | grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'Enumeration With Credentials
ldapdomaindump
# Enumerate the entire LDAP and keep only usernames
ldapdomaindump -u 'domain.htb\user' -p 'password' 10.10.10.10 -o ldap; cd ldap; echo; cat domain_users.grep | awk '{print $1}' | tail -n +2rpcenum (Modified)
Through the modified rpcenum tool, we can perform complete enumeration of users and other information through the RPC protocol. This tool requires valid credentials.
Repository: GitHub - Gzzcoo/rpcenum-modified
rpcenum -e DUsers -i 10.10.10.10 -u 'user' -p 'password'rpcclient (With Credentials)
Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). Valid credentials required.
for i in $(seq 1000 1500); do rpcclient -U "user%password" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}'NetExec (With Credentials)
# Get domain users through RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute
# Get only the list of users when performing RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute | grep SidTypeUser | rev | awk '{print $2}' | rev | awk '{print $2}' FS='\\'
# User enumeration through LDAP
nxc ldap 10.10.10.10 -u 'user' -p 'password' --usersimpacket-lookupsid (With Credentials)
# User enumeration with lookupsid using valid credentials
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10
# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10| grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'ldapsearch
# Enumerate all AD users through simple authentication (NTLM)
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "DC=domain,DC=htb" "(objectClass=user)" sAMAccountName | grep "^sAMAccountName:" | awk '{print $2}'
# Enumerate all AD users through Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "DC=domain,DC=htb" "(objectClass=user)"Last updated