👤Enumerating Users

This guide covers various techniques for enumerating users in Active Directory environments, divided into methods that require credentials and those that don't.

Enumeration Without Credentials

NSrpcenum

NSrpcenum is a modified version of S4vitar's tool, renamed to differentiate it from the original rpcenum tool that supports credentials. This tool allows enumeration of the Domain Controller through the RPC protocol using a Null Session (without providing access credentials). It will only work if we have the appropriate permissions.

Repository: GitHub - s4vitar/rpcenum

NSrpcenum -e DUsers -i 10.10.10.10

rpcclient (No Credentials)

Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). No credentials required.

for i in $(seq 1000 1500); do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}'

Kerbrute Username Enumeration

Brute force user enumeration through Kerberos using a dictionary:

# Brute force users through Kerberos with a dictionary
kerbrute userenum --dc 10.10.10.10 -d domain.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

# Validate if users are valid at domain level with a list of possible users
kerbrute userenum --dc 10.10.10.10 -d domain.htb possible_users.txt

NetExec with Guest User

nxc smb 10.10.10.10 -u 'guest' -p '' --rid-brute

NetExec Kerberos Enumeration Brute Force

Perform brute force attacks, similar to Kerbrute, to verify if a user is valid in the domain through Kerberos.

• If the user exists: KDC_ERR_PREAUTH_FAILED message will appear

• If the user doesn't exist: KDC_ERR_C_PRINCIPAL_UNKNOWN message will appear

nxc ldap dc.domain.htb -u users.txt -p '' -k

ridenum

Repository: GitHub - trustedsec/ridenum

Rid_enum is a null session RID cycle attack for brute forcing domain controllers.

ridenum 10.10.10.10 500 10000 guest ''

impacket-lookupsid (No Credentials)

# User enumeration with 'guest' user through lookupsid
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass

# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass | grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'

Enumeration With Credentials

ldapdomaindump

# Enumerate the entire LDAP and keep only usernames
ldapdomaindump -u 'domain.htb\user' -p 'password' 10.10.10.10 -o ldap; cd ldap; echo; cat domain_users.grep | awk '{print $1}' | tail -n +2

rpcenum (Modified)

Through the modified rpcenum tool, we can perform complete enumeration of users and other information through the RPC protocol. This tool requires valid credentials.

Repository: GitHub - Gzzcoo/rpcenum-modified

rpcenum -e DUsers -i 10.10.10.10 -u 'user' -p 'password'

rpcclient (With Credentials)

Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). Valid credentials required.

for i in $(seq 1000 1500); do rpcclient -U "user%password" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}'

NetExec (With Credentials)

# Get domain users through RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute

# Get only the list of users when performing RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute | grep SidTypeUser | rev | awk '{print $2}' | rev | awk '{print $2}' FS='\\'

# User enumeration through LDAP
nxc ldap 10.10.10.10 -u 'user' -p 'password' --users

impacket-lookupsid (With Credentials)

# User enumeration with lookupsid using valid credentials
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10

# Same command as above, but only keeping usernames
impacket-lookupsid domain.htb/'username':'password'@10.10.10.10| grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\'

ldapsearch

# Enumerate all AD users through simple authentication (NTLM)
ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "DC=domain,DC=htb" "(objectClass=user)" sAMAccountName | grep "^sAMAccountName:" | awk '{print $2}'

# Enumerate all AD users through Kerberos authentication
ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "DC=domain,DC=htb" "(objectClass=user)"