> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/users-identification.md).

# Users Identification

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

<figure><img src="/files/GxxK42bV8GbvHDinaa4X" alt=""><figcaption></figcaption></figure>

## Guest and null session

{% content-ref url="/pages/3jW53CaRXMUs4f8szugL" %}
[SMB (445, 139) / RPC](/0xss0rz/pentest/protocols/smb-445-139-rpc.md)
{% endcontent-ref %}

### Null Session

```shell-session
$ enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt
lab_adm
htb-student
<SNIP>
```

```shell-session
$ rpcclient -U "" -N 172.16.5.5

rpcclient $> enumdomusers 
```

```shell-session
crackmapexec smb 172.16.5.5 -u '' -p '' --users
nxc smb 10.10.11.35 -u '' -p '' --shares
```

{% hint style="danger" %}
*Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py*
{% endhint %}

### Guest session

```
nxc smb 10.10.11.35 -u 'guest' -p '' --rid-brute
# Create a user list
nxc smb 10.10.118.214 -u 'guest' -p '' --rid-brute | grep '(SidTypeUser)' | awk '{print $6}' | sed 's/DOMAIN\\//'


nxc smb 10.10.11.35 -u 'guest' -p '' --shares
```

## Wordlist &#x20;

{% embed url="<https://github.com/insidetrust/statistically-likely-usernames>" %}

`jsmith.txt` and a lot of usefull username list like **service-accounts.txt** **test-accounts** or top-formats.txt

{% content-ref url="/pages/iiFNDWoM2wvUt4zcADkc" %}
[Username lists](/0xss0rz/pentest/brute-force/username-lists.md)
{% endcontent-ref %}

{% embed url="<https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt>" %}

### From Linkedin

{% embed url="<https://github.com/initstring/linkedin2username>" %}

{% content-ref url="/pages/XEfK2J6XvCHzSjsFjXSY" %}
[Social Media](/0xss0rz/pentest/recon/osint/social-media.md)
{% endcontent-ref %}

## MS-NRPC

Enumerate Domain Users Without Authentication

{% embed url="<https://github.com/sud0Ru/NauthNRPC>" %}

## LDAP&#x20;

### Nom Nom

Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)

{% embed url="<https://github.com/lkarlslund/ldapnomnom>" %}

### Anon

```shell-session
$ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

guest
ACADEMY-EA-DC01$
ACAD
```

Description field

```
# ldapsearch -H ldap://baby.vl -x -b "DC=baby,DC=vl" | fgrep desc
```

```shell-session
$ ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users
[+]	Found 2906 users: 

cn: Guest

cn: Htb Student
userPrincipalName: htb-student@inlanefreight.local
```

{% hint style="danger" %}
*Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py*
{% endhint %}

### NXC

```
nxc ldap 192.168.1.48 -u "user.txt" -p '' -k
```

<figure><img src="/files/BqNIWr05VN49Xvp8pllM" alt=""><figcaption></figcaption></figure>

## Kerbrute

Precompiled release:

{% embed url="<https://github.com/ropnop/kerbrute>" %}

```shell-session
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
```

```
$ vim valid_ad_users.txt
$ awk '{print $NF}' valid_ad_users.txt >> ad_users.txt
```

{% hint style="danger" %}
*kerbrute doesn't always find asreproastable accounts. Always try getNPusers.py to find asreproastable accounts (doesn't require credentials, just a list of users).*
{% endhint %}

<figure><img src="/files/gYdX0p2xyMcfL4ncYP3V" alt=""><figcaption></figcaption></figure>

{% content-ref url="/pages/FPIbdosGSrSHYzhw5i4w" %}
[Misconfiguration](/0xss0rz/pentest/internal-pentest/misconfiguration.md)
{% endcontent-ref %}

## LLMNR NBT-NS Poisoning

{% content-ref url="/pages/C3VfH3HrzKTrQ8j6TNyn" %}
[LLMNR NBT-NS Poisoning](/0xss0rz/pentest/internal-pentest/llmnr-nbt-ns-poisoning.md)
{% endcontent-ref %}

## Authent

```shell-session
sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users
```

```
$ sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users > users.txt
$ cat users.txt | awk '{ print $5 }' | cut -d '\' -f2 > final_users.txt
```

### Windows

```powershell-session
PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
```

Or With GUI: Properties -> Security -> Advanced -> Effective Access -> Select a User -> Advanced -> Object Types then "Find Now"

<figure><img src="/files/mGatVSVUx9ebRTFIbYaL" alt=""><figcaption></figcaption></figure>

Columns to Add Descriptions

<figure><img src="/files/YcE8HAAkfk2uvmh8kuRk" alt=""><figcaption></figcaption></figure>

### ADrecon

```powershell
.\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser
```

```powershell-session
PS C:\htb> .\ADRecon.ps1

[*] ADRecon v1.1 by Prashant Mahajan (@prashant3535)
[*] Running on INLANEFREIGHT.LOCAL\MS01 - Member Server
[*] Commencing - 03/28/2022 09:24:58
[-] Domain
[-] Forest
[-] Trusts
[-] Sites
[-] Subnets
[-] SchemaHistory - May take some time
[-] Default Password Policy
[-] Fine Grained Password Policy - May need a Privileged Account
[-] Domain Controllers
[-] Users and SPNs - May take some time
[-] PasswordAttributes - Experimental
[-] Groups and Membership Changes - May take some time
[-] Group Memberships - May take some time
[-] OrganizationalUnits (OUs)
[-] GPOs
[-] gPLinks - Scope of Management (SOM)
[-] DNS Zones and Records
[-] Printers
[-] Computers and SPNs - May take some time
[-] LAPS - Needs Privileged Account
[-] BitLocker Recovery Keys - Needs Privileged Account
[-] GPOReport - May take some time
[*] Total Execution Time (mins): 11.05
[*] Output Directory: C:\Tools\ADRecon-Report-20220328092458
```

### NXC

```
nxc ldap 192.168.1.48 -u raj -p Password@1 –-users

# Active users

nxc ldap 192.168.1.48 -u raj -p Password@1 --active-users

# Domain admins

nxc ldap 192.168.1.48 -u raj -p Password@1 --admin-count

# Users description

nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users

# Get Users Password

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword
nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-unixUserPassword
```

<figure><img src="/files/655ghBR7PJd1PqxpYZmJ" alt=""><figcaption></figcaption></figure>

### Enumerate all user sessions on a host with normal User privileges

As long as the remote registry is running

```
--reg-sessions
```

<figure><img src="/files/dex2hnNF3L5K6ivmI65H" alt=""><figcaption></figcaption></figure>
