By leveraging an SMB NULL session to retrieve a complete list of domain users from the domain controller
Utilizing an LDAP anonymous bind to query LDAP anonymously and pull down the domain user list
Using a tool such as Kerbrute to validate users utilizing a word list from a source such as the GitHub repo, or gathered by using a tool such as to create a list of potentially valid users
Using a set of credentials from a Linux or Windows attack system either provided by our client or obtained through another means such as LLMNR/NBT-NS response poisoning using Responder or even a successful password spray using a smaller wordlist
No matter the method we choose, it is also vital for us to consider the domain password policy.
SMB NULL Session to Pull User List
If you are on an internal machine but don’t have valid domain credentials, you can look for SMB NULL sessions or LDAP anonymous binds on Domain Controllers.
is an easier tool, it's important to use both however if we don't initially get what we want.
is wordlist of 48,705 possible common usernames in the format flast. The .
IMPORTANT: We've checked over 48,000 usernames in just over 12 seconds and discovered 50+ valid ones. Using Kerbrute for username enumeration will generate event ID . This will only be triggered if is enabled via Group Policy.
NOTE: If we are unable to create a valid username list using any of the methods highlighted, we could turn back to external information gathering. to create possible usernames, and other open source tools are our best options.
