# Using enum4linux
enum4linux -U ip | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
# Using rpcclient
rpcclient -U "" -N ip
# Using CrackMapExec --users Flag
crackmapexec smb ip --users
Gathering Users with LDAP Anonymous
# Using ldapsearch
ldapsearch -h ip -x -b "DC=DOMAIN,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
# Using windapsearch
./windapsearch.py --dc-ip ip -u "" -U
Enumerating Users with Kerbrute
# Kerbrute User Enumeration
kerbrute userenum -d domain.local --dc ip /opt/jsmith.txt
User Enumeration with Valid Credentials
# Using CrackMapExec with Valid Credentials
sudo crackmapexec smb ip -u eren -p pass --users