Making a Target User list

SMB NULL Session to Pull User List

# Using enum4linux
enum4linux -U ip  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

# Using rpcclient
rpcclient -U "" -N ip

# Using CrackMapExec --users Flag
crackmapexec smb ip --users

Gathering Users with LDAP Anonymous

# Using ldapsearch
ldapsearch -h ip -x -b "DC=DOMAIN,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

# Using windapsearch
./windapsearch.py --dc-ip ip -u "" -U

Enumerating Users with Kerbrute

# Kerbrute User Enumeration
kerbrute userenum -d domain.local --dc ip /opt/jsmith.txt

User Enumeration with Valid Credentials

# Using CrackMapExec with Valid Credentials
sudo crackmapexec smb ip -u eren -p pass --users

PreviousEnumerating & Retrieving Password Policies NextInternal Password Spraying - from Linux

Last updated 1 year ago