Domain User Enumeration

Remote

---

Multi-Protocol

enum4linux -a <IP>

SMB

nxc smb <IP> -u '' -p '' --users

RPC

rpcclient -U "" -N <IP>
enumdomusers

queryuser 0x457 <---user RID

ldap

ldapsearch -x -b "DC=HTB,DC=LOCAL" -s sub "(&(objectclass=user))" -H ldap://<IP> | grep -i samaccountname: | cut -f 2 -d " "

nxc ldap <IP> -u '' -p '' --users    

python3 windapsearch.py --dc-ip <dcip> -u user@domain -p 'pass' --da

python3 windapsearch.py --dc-ip <dcip> -u user@domain -p <pass> -PU

Check logged in users

nxc smb <IP> -u '' -p '' --loggedon-users

Brute force usernames

---

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175

Generate userlists

---

Username Anarchy

sudo apt install ruby -y
git clone https://github.com/urbanadventurer/username-anarchy.git
cd username-anarchy

./username-anarchy Jane Smith > jane_smith_usernames.txt

Validate Known Usernames

---

kerberute userenum -d <DOMAIN> users.txt

Add a known negative user to make sure the server is properly validating.