Finding Users

• Assuming port scan is running or done, and we know we're in an AD environment

Find Users

cme IP -u '' -p '' --users

enum4linux -A $target

lookupsids DOMAIN/guest@$target

rpcclient -U “” $target
enumdomusers

ldapsearch -x -h $target -b base namingcontext

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<domain>',userdb=<users_list_file>" <ip> 

• Else if no names from either, once you start finding names, make a list and use namemash.py to create a username list

kerbrute userenum -d domain.name --dc $target usernamelist.txt

Get Pass Pol

cme IP -u '' -p '' --pass-poll

Dump LDAP

• windapsearch

# query users
windapsearch -m users --dc DCIP

# query login names
windapsearch -m users --attrs UserPrincipalName --dc DCIP | awk -F"Name:" '{print $2}' | awk '!/^$/'

# descriptions (often contain passwords)
windapsearch -m users --attrs Description --dc DCIP

# query all attributes for password
windapsearch -m users --full --dc DCIP | grep -i password