⚔️5 - Enumetion with Users

User Listing

  • Okay, when we get an account on an AD, the first thing is get the full list of users

  • Then, we will try to do password spay on the full user list and others things

GetADUsers.py -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople 
#############################################
*] Querying north.sevenkingdoms.local for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2024-03-21 07:22:01.918652  2024-03-21 08:40:40.480814 
Guest                                                 <never>              <never>             
vagrant                                               2025-02-27 02:38:40.892622  2024-03-25 14:40:38.798991 
cloudbase-init                                        2024-03-21 07:29:56.449067  2024-03-21 07:29:57.214679 
krbtgt                                                2024-03-21 07:51:43.874316  <never>             
                                                      2024-03-21 08:01:45.856181  <never>             
arya.stark                                            2024-03-21 08:06:52.607469  <never>             
eddard.stark                                          2024-03-21 08:06:55.935719  2025-05-29 08:24:15.738364 
catelyn.stark                                         2024-03-21 08:06:58.670196  2024-08-07 11:24:05.239650 
robb.stark                                            2024-03-21 08:07:01.076535  2025-05-29 08:27:30.504028 
sansa.stark                                           2024-03-21 08:07:03.357892  <never>             
brandon.stark                                         2024-03-21 08:07:05.842337  2025-05-29 08:02:34.269612 
rickon.stark                                          2024-03-21 08:07:08.279928  <never>             
hodor                                                 2024-03-21 08:07:10.858158  2024-04-14 18:23:50.155847 
jon.snow                                              2024-03-21 08:07:13.201986  2025-05-16 06:01:09.359987 
samwell.tarly                                         2024-03-21 08:07:15.561443  2025-05-16 06:35:54.656866 
jeor.mormont                                          2024-03-21 08:07:17.998728  2025-05-16 06:27:00.859958 
sql_svc                                               2024-03-21 08:07:20.573801  2025-02-27 02:40:46.912372

Now, we can enum more users with the nxc -->

nxc smb north.sevenkingdoms.local -u 'brandon.stark' -p 'iseedeadpeople' --users

Enumerate Ldap

ldapsearch -H ldap://192.168.56.11 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'

This is a upgrade command of ldapsearch

To end, ldap query we can request users of the others domain

## essos.local
ldapsearch -H ldap://192.168.56.12 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b ',DC=essos,DC=local' "(&(objectCategory=person)(objectClass=user))"
## sevenkingdoms.local
ldapsearch -H ldap://192.168.56.10 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"

Share Enumerate

nxc smb 192.168.56.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares

Enumerate DNS

adidnsdump -u 'north.sevenkingdoms.local\jon.snow' -p 'iknownothing' winterfell.north.sevenkingdoms.local

This save into a .cvs, see that

Previous4.3 - ASREP RoastingNext5.1 - Kerberoasting

Last updated