⚔️5 - Enumetion with Users

User Listing

Okay, when we get an account on an AD, the first thing is get the full list of users
Then, we will try to do password spay on the full user list and others things

GetADUsers.py -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople 
#############################################
*] Querying north.sevenkingdoms.local for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2024-03-21 07:22:01.918652  2024-03-21 08:40:40.480814 
Guest                                                 <never>              <never>             
vagrant                                               2025-02-27 02:38:40.892622  2024-03-25 14:40:38.798991 
cloudbase-init                                        2024-03-21 07:29:56.449067  2024-03-21 07:29:57.214679 
krbtgt                                                2024-03-21 07:51:43.874316  <never>             
                                                      2024-03-21 08:01:45.856181  <never>             
arya.stark                                            2024-03-21 08:06:52.607469  <never>             
eddard.stark                                          2024-03-21 08:06:55.935719  2025-05-29 08:24:15.738364 
catelyn.stark                                         2024-03-21 08:06:58.670196  2024-08-07 11:24:05.239650 
robb.stark                                            2024-03-21 08:07:01.076535  2025-05-29 08:27:30.504028 
sansa.stark                                           2024-03-21 08:07:03.357892  <never>             
brandon.stark                                         2024-03-21 08:07:05.842337  2025-05-29 08:02:34.269612 
rickon.stark                                          2024-03-21 08:07:08.279928  <never>             
hodor                                                 2024-03-21 08:07:10.858158  2024-04-14 18:23:50.155847 
jon.snow                                              2024-03-21 08:07:13.201986  2025-05-16 06:01:09.359987 
samwell.tarly                                         2024-03-21 08:07:15.561443  2025-05-16 06:35:54.656866 
jeor.mormont                                          2024-03-21 08:07:17.998728  2025-05-16 06:27:00.859958 
sql_svc                                               2024-03-21 08:07:20.573801  2025-02-27 02:40:46.912372

Now, we can enum more users with the nxc -->

nxc smb north.sevenkingdoms.local -u 'brandon.stark' -p 'iseedeadpeople' --users

Enumerate Ldap

ldapsearch -H ldap://192.168.56.11 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'

This is a upgrade command of ldapsearch

To end, ldap query we can request users of the others domain

## essos.local
ldapsearch -H ldap://192.168.56.12 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b ',DC=essos,DC=local' "(&(objectCategory=person)(objectClass=user))"
## sevenkingdoms.local
ldapsearch -H ldap://192.168.56.10 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"

nxc smb 192.168.56.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares

Enumerate DNS

adidnsdump -u 'north.sevenkingdoms.local\jon.snow' -p 'iknownothing' winterfell.north.sevenkingdoms.local

This save into a .cvs, see that

Previous4.3 - ASREP Roasting Next5.1 - Kerberoasting

Last updated 6 months ago

User Listing

Enumerate Ldap

Share Enumerate

Enumerate DNS