user-enum-without-access

Enum4linux

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

OR

enum4linux-ng -P "$ip" -oA "$out"

RPCClient

rpcclient -U "" -N 172.16.5.5 -c "enumdomusers; querydominfo; exit"

RID enum

for i in $(seq 500 50000);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)"|grep "User Name\|user_rid\|group_rid" && echo "";done

OR

ridenum 192.168.1.236 500 50000

Kerberos

kerbrute userenum /opt/SecLists/Usernames/cirt-default-usernames.txt --dc dc01.manager.htb -d manager.htb

Netexec

nxc smb 172.16.5.5 --users

nxc smb 172.16.5.5 -u user -p password --users

Impacket

impacket-lookupsid -no-pass domain.local

ldapsearch

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

ldapsearch -x -b "DC=active,DC=htb" -s sub "(&(objectclass=user))" -H ldap://active.htb | grep sAMAccountName: | cut -f2 -d" "

Windapsearch

./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

windapsearch -m users -u '' -p '' -d 172.16.5.5

Validate users

kerbrute userenum -d inlanefreight.local --dc 172.16.7.3 /opt/jsmith.txt

Previoususer-enum-with-access Nextwmic

Last updated 1 day ago