# Enumerating Users This guide covers various techniques for enumerating users in Active Directory environments, divided into methods that require credentials and those that don't. ## Enumeration Without Credentials ### NSrpcenum NSrpcenum is a modified version of S4vitar's tool, renamed to differentiate it from the original rpcenum tool that supports credentials. This tool allows enumeration of the Domain Controller through the RPC protocol using a Null Session (without providing access credentials). It will only work if we have the appropriate permissions. **Repository:** [GitHub - s4vitar/rpcenum](https://github.com/s4vitar/rpcenum) ```bash NSrpcenum -e DUsers -i 10.10.10.10 ``` ### rpcclient (No Credentials) Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). No credentials required. ```bash for i in $(seq 1000 1500); do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}' ``` ### Kerbrute Username Enumeration Brute force user enumeration through Kerberos using a dictionary: ```bash # Brute force users through Kerberos with a dictionary kerbrute userenum --dc 10.10.10.10 -d domain.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt # Validate if users are valid at domain level with a list of possible users kerbrute userenum --dc 10.10.10.10 -d domain.htb possible_users.txt ``` ### NetExec with Guest User ```bash nxc smb 10.10.10.10 -u 'guest' -p '' --rid-brute ``` ### NetExec Kerberos Enumeration Brute Force Perform brute force attacks, similar to Kerbrute, to verify if a user is valid in the domain through Kerberos. * If the user exists: `KDC_ERR_PREAUTH_FAILED` message will appear * If the user doesn't exist: `KDC_ERR_C_PRINCIPAL_UNKNOWN` message will appear ```bash nxc ldap dc.domain.htb -u users.txt -p '' -k ``` ### ridenum **Repository:** [GitHub - trustedsec/ridenum](https://github.com/trustedsec/ridenum) Rid\_enum is a null session RID cycle attack for brute forcing domain controllers. ```bash ridenum 10.10.10.10 500 10000 guest '' ``` ### impacket-lookupsid (No Credentials) ```bash # User enumeration with 'guest' user through lookupsid impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass # Same command as above, but only keeping usernames impacket-lookupsid domain.htb/guest@10.10.10.10 -no-pass | grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\' ``` ## Enumeration With Credentials ### ldapdomaindump ```bash # Enumerate the entire LDAP and keep only usernames ldapdomaindump -u 'domain.htb\user' -p 'password' 10.10.10.10 -o ldap; cd ldap; echo; cat domain_users.grep | awk '{print $1}' | tail -n +2 ``` ### rpcenum (Modified) Through the modified rpcenum tool, we can perform complete enumeration of users and other information through the RPC protocol. This tool requires valid credentials. **Repository:** [GitHub - Gzzcoo/rpcenum-modified](https://github.com/Gzzcoo/rpcenum-modified) ```bash rpcenum -e DUsers -i 10.10.10.10 -u 'user' -p 'password' ``` ### rpcclient (With Credentials) Enumerate users from RID 1000 to 1500 (range can be adjusted as needed). Valid credentials required. ```bash for i in $(seq 1000 1500); do rpcclient -U "user%password" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name"; done | awk '{print $NF}' ``` ### NetExec (With Credentials) ```bash # Get domain users through RID Cycling Attack nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute # Get only the list of users when performing RID Cycling Attack nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute | grep SidTypeUser | rev | awk '{print $2}' | rev | awk '{print $2}' FS='\\' # User enumeration through LDAP nxc ldap 10.10.10.10 -u 'user' -p 'password' --users ``` ### impacket-lookupsid (With Credentials) ```bash # User enumeration with lookupsid using valid credentials impacket-lookupsid domain.htb/'username':'password'@10.10.10.10 # Same command as above, but only keeping usernames impacket-lookupsid domain.htb/'username':'password'@10.10.10.10| grep SidTypeUser | awk '{print $2}' | awk '{print $2}' FS='\\' ``` ### ldapsearch ```bash # Enumerate all AD users through simple authentication (NTLM) ldapsearch -H ldap://10.10.10.10 -D 'user@domain.htb' -w 'password' -b "DC=domain,DC=htb" "(objectClass=user)" sAMAccountName | grep "^sAMAccountName:" | awk '{print $2}' # Enumerate all AD users through Kerberos authentication ldapsearch -H ldap://dc.domain.htb -Y GSSAPI -b "DC=domain,DC=htb" "(objectClass=user)" ```