This guide covers various techniques for enumerating users in Active Directory environments, divided into methods that require credentials and those that don't.
Enumeration Without Credentials
NSrpcenum
NSrpcenum is a modified version of S4vitar's tool, renamed to differentiate it from the original rpcenum tool that supports credentials. This tool allows enumeration of the Domain Controller through the RPC protocol using a Null Session (without providing access credentials). It will only work if we have the appropriate permissions.
Repository:
NSrpcenum -e DUsers -i 10.10.10.10
rpcclient (No Credentials)
Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). No credentials required.
for i in $(seq 1000 1500); do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}'
Kerbrute Username Enumeration
Brute force user enumeration through Kerberos using a dictionary:
# Brute force users through Kerberos with a dictionary
kerbrute userenum --dc 10.10.10.10 -d domain.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
# Validate if users are valid at domain level with a list of possible users
kerbrute userenum --dc 10.10.10.10 -d domain.htb possible_users.txt
NetExec with Guest User
nxc smb 10.10.10.10 -u 'guest' -p '' --rid-brute
NetExec Kerberos Enumeration Brute Force
Perform brute force attacks, similar to Kerbrute, to verify if a user is valid in the domain through Kerberos.
If the user exists: KDC_ERR_PREAUTH_FAILED message will appear
If the user doesn't exist: KDC_ERR_C_PRINCIPAL_UNKNOWN message will appear
nxc ldap dc.domain.htb -u users.txt -p '' -k
ridenum
Rid_enum is a null session RID cycle attack for brute forcing domain controllers.
ridenum 10.10.10.10 500 10000 guest ''
impacket-lookupsid (No Credentials)
# User enumeration with 'guest' user through lookupsid
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass
# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass | grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'
Enumeration With Credentials
ldapdomaindump
# Enumerate the entire LDAP and keep only usernames
ldapdomaindump -u 'domain.htb\user' -p 'password' 10.10.10.10 -o ldap; cd ldap; echo; cat domain_users.grep | awk '{print $1}' | tail -n +2
rpcenum (Modified)
Through the modified rpcenum tool, we can perform complete enumeration of users and other information through the RPC protocol. This tool requires valid credentials.
Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). Valid credentials required.
for i in $(seq 1000 1500); do rpcclient -U "user%password" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}'
NetExec (With Credentials)
# Get domain users through RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute
# Get only the list of users when performing RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute | grep SidTypeUser | rev | awk '{print $2}' | rev | awk '{print $2}' FS='\\'
# User enumeration through LDAP
nxc ldap 10.10.10.10 -u 'user' -p 'password' --users
impacket-lookupsid (With Credentials)
# User enumeration with lookupsid using valid credentials
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10
# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10| grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'
ldapsearch
# Enumerate all AD users through simple authentication (NTLM)
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "DC=domain,DC=htb" "(objectClass=user)" sAMAccountName | grep "^sAMAccountName:" | awk '{print $2}'
# Enumerate all AD users through Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "DC=domain,DC=htb" "(objectClass=user)"
