Password Spraying - Making a Target User List ACTIVE Directory

• By leveraging an SMB NULL session

  • retrieve a complete list of domain users from the domain controller

• Utilizing an LDAP anonymous bind to query LDAP anonymously

  • pull down the domain user list

• Use tool such as

  • Kerbrute to validate users utilizing a word list

    • from a source such as the

      • linkedin2username

      • statistically-likely-usernames

    • LLMNR Poisoning

Using enum4linux

SMB NULL Session to Pull User List

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt

Using rpcclient

SMB NULL Session to Pull User List

Using CrackMapExec --users Flag

SMB NULL Session to Pull User List

Gathering Users with LDAP Anonymous

• Some examples include windapsearch and ldapsearch.

Using ldapsearch

Using windapsearch

windapsearch

Enumerating Users with Kerbrute

• look into statistically-likely-usernames for username list

  • linkedin2username

  • jsmith.txt is from this list

• Using Kerbrute for username enumeration will generate event ID 4768: A Kerberos authentication ticket (TGT) was requested

  • will be triggered if Kerberos event logging is enabled via Group Policy

Credentialed Enumeration to Build our User List

• With valid credentials,

  • can use any of the tools stated previously to build a user list. A quick and easy way is using CrackMapExec.

Using CrackMapExec with Valid Credentials