This guide covers various techniques for enumerating users in Active Directory environments, divided into methods that require credentials and those that don't.
Enumeration Without Credentials
NSrpcenum
NSrpcenum is a modified version of S4vitar's tool, renamed to differentiate it from the original rpcenum tool that supports credentials. This tool allows enumeration of the Domain Controller through the RPC protocol using a Null Session (without providing access credentials). It will only work if we have the appropriate permissions.
Brute force user enumeration through Kerberos using a dictionary:
# Brute force users through Kerberos with a dictionarykerbruteuserenum--dc10.10.10.10-ddomain.htb/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt# Validate if users are valid at domain level with a list of possible userskerbruteuserenum--dc10.10.10.10-ddomain.htbpossible_users.txt
NetExec with Guest User
NetExec Kerberos Enumeration Brute Force
Perform brute force attacks, similar to Kerbrute, to verify if a user is valid in the domain through Kerberos.
If the user exists: KDC_ERR_PREAUTH_FAILED message will appear
If the user doesn't exist: KDC_ERR_C_PRINCIPAL_UNKNOWN message will appear
Rid_enum is a null session RID cycle attack for brute forcing domain controllers.
impacket-lookupsid (No Credentials)
Enumeration With Credentials
ldapdomaindump
rpcenum (Modified)
Through the modified rpcenum tool, we can perform complete enumeration of users and other information through the RPC protocol. This tool requires valid credentials.
# User enumeration with 'guest' user through lookupsid
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass
# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass | grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'
# Enumerate the entire LDAP and keep only usernames
ldapdomaindump -u 'domain.htb\user' -p 'password' 10.10.10.10 -o ldap; cd ldap; echo; cat domain_users.grep | awk '{print $1}' | tail -n +2
for i in $(seq 1000 1500); do rpcclient -U "user%password" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}'
# Get domain users through RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute
# Get only the list of users when performing RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute | grep SidTypeUser | rev | awk '{print $2}' | rev | awk '{print $2}' FS='\\'
# User enumeration through LDAP
nxc ldap 10.10.10.10 -u 'user' -p 'password' --users
# User enumeration with lookupsid using valid credentials
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10
# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10| grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'
# Enumerate all AD users through simple authentication (NTLM)
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "DC=domain,DC=htb" "(objectClass=user)" sAMAccountName | grep "^sAMAccountName:" | awk '{print $2}'
# Enumerate all AD users through Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "DC=domain,DC=htb" "(objectClass=user)"
