Enumeration - maxbirnbacher/ADPentesting101 GitHub Wiki
To find users, we can utilize a process called "enumeration".
There a multiple options to do this:
- enum4linux
- nmap with kerberos script
- kerbrute
just to name a few.
The fastest approach of all three. Best suited when anonymous login is enabled.
enum4linux -a -u "" -p "" 192.168.200.2
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 21 10:29:56 2024
=========================================( Target Information )=========================================
Target ........... 192.168.200.2
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.200.2 )===========================
[+] Got domain/workgroup name: DOMAIN
===============================( Nbtstat Information for 192.168.200.2 )===============================
Looking up status of 192.168.200.2
WIN-9DMEA2KARL9 <00> - B <ACTIVE> Workstation Service
DOMAIN <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
DOMAIN <1c> - <GROUP> B <ACTIVE> Domain Controllers
WIN-9DMEA2KARL9 <20> - B <ACTIVE> File Server Service
DOMAIN <1b> - B <ACTIVE> Domain Master Browser
MAC Address = 52-54-00-5F-8E-32
===================================( Session Check on 192.168.200.2 )===================================
[+] Server 192.168.200.2 allows sessions using username '', password ''
================================( Getting domain SID for 192.168.200.2 )================================
Domain Name: DOMAIN
Domain Sid: S-1-5-21-1012362987-1514964954-479083960
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 192.168.200.2 )==================================
[E] Cannnot get OS info with smbclient
[+] Got OS info for 192.168.200.2 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 192.168.200.2 )=======================================
[E] Could not find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Could not find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=================================( Share Enumeration on 192.168.200.2 )=================================
do_connect: Connection to 192.168.200.2 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.200.2
===========================( Password Policy Information for 192.168.200.2 )===========================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.200.2 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.200.2)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
======================================( Groups on 192.168.200.2 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 192.168.200.2 via RID cycling (RIDS: 500-550,1000-1050) )==================
[E] Could not get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================( Getting printer info for 192.168.200.2 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sun Apr 21 10:29:57 2024nmap -Pn -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" 192.168.200.2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 14:30 CEST
Nmap scan report for 192.168.200.2
Host is up (0.00034s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| user@DOMAIN
|_ administrator@DOMAIN
Nmap done: 1 IP address (1 host up) scanned in 0.10 secondsDownside: process is not multithreaded and get's killed when using a larger username list (p.e. 360 MB)
Credits to Ronnie Flathers @ropnop https://github.com/ropnop/kerbrute
kerbrute is a lot more effective and has multithreading. It also does not get killed when using big wordlists.
./kerbrute userenum --dc 192.168.200.2 -d domain.local combined_usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/21/24 - Ronnie Flathers @ropnop
2024/04/21 09:28:01 > Using KDC(s):
2024/04/21 09:28:01 > 192.168.200.2:88
2024/04/21 09:29:55 > [+] VALID USERNAME: [email protected]
2024/04/21 09:30:07 > [+] VALID USERNAME: [email protected]
2024/04/21 09:32:17 > [+] VALID USERNAME: [email protected]
2024/04/21 09:32:39 > [+] VALID USERNAME: [email protected]
2024/04/21 09:33:16 > [+] VALID USERNAME: [email protected]
2024/04/21 09:34:13 > [+] VALID USERNAME: [email protected]
2024/04/21 09:34:55 > [+] VALID USERNAME: [email protected]
2024/04/21 09:34:56 > [+] VALID USERNAME: [email protected]
2024/04/21 09:36:46 > [+] VALID USERNAME: [email protected]
2024/04/21 09:38:53 > [+] VALID USERNAME: [email protected]
2024/04/21 09:40:01 > [+] VALID USERNAME: [email protected]
2024/04/21 09:40:10 > [+] VALID USERNAME: [email protected]
2024/04/21 09:40:51 > [+] VALID USERNAME: [email protected]
2024/04/21 09:42:04 > [+] VALID USERNAME: [email protected]
2024/04/21 09:42:35 > [+] VALID USERNAME: [email protected]
2024/04/21 09:46:47 > [+] VALID USERNAME: [email protected]
2024/04/21 09:47:55 > [+] VALID USERNAME: [email protected]
2024/04/21 09:48:13 > [+] VALID USERNAME: [email protected]
2024/04/21 09:49:31 > [+] VALID USERNAME: [email protected]
2024/04/21 09:51:10 > [+] VALID USERNAME: [email protected]
2024/04/21 09:51:17 > [+] VALID USERNAME: [email protected]
2024/04/21 09:51:30 > [+] VALID USERNAME: [email protected]
2024/04/21 09:52:00 > [+] VALID USERNAME: [email protected]
2024/04/21 09:52:40 > [+] VALID USERNAME: [email protected]
2024/04/21 09:52:59 > [+] VALID USERNAME: [email protected]
2024/04/21 09:54:52 > [+] VALID USERNAME: [email protected]
2024/04/21 10:03:29 > [+] VALID USERNAME: [email protected]
2024/04/21 10:03:43 > [+] VALID USERNAME: [email protected]
2024/04/21 10:04:34 > [+] VALID USERNAME: [email protected]
2024/04/21 10:05:11 > [+] VALID USERNAME: [email protected]
2024/04/21 10:05:44 > [+] VALID USERNAME: [email protected]
2024/04/21 10:06:42 > [+] VALID USERNAME: [email protected]
2024/04/21 10:07:32 > [+] VALID USERNAME: [email protected]
2024/04/21 10:09:06 > [+] VALID USERNAME: [email protected]
2024/04/21 10:09:40 > [+] VALID USERNAME: [email protected]
2024/04/21 10:10:25 > [+] VALID USERNAME: [email protected]
2024/04/21 10:10:39 > [+] VALID USERNAME: [email protected]
2024/04/21 10:11:25 > [+] VALID USERNAME: [email protected]
2024/04/21 10:11:43 > [+] VALID USERNAME: [email protected]
2024/04/21 10:12:44 > [+] VALID USERNAME: [email protected]
2024/04/21 10:13:33 > [+] VALID USERNAME: [email protected]
2024/04/21 10:14:42 > [+] VALID USERNAME: [email protected]
2024/04/21 10:14:54 > [+] VALID USERNAME: [email protected]
2024/04/21 10:17:01 > [+] VALID USERNAME: [email protected]
2024/04/21 10:18:35 > [+] VALID USERNAME: [email protected]
2024/04/21 10:21:07 > [+] VALID USERNAME: [email protected]
2024/04/21 10:21:26 > [+] VALID USERNAME: [email protected]
2024/04/21 10:22:54 > Done! Tested 22325625 usernames (47 valid) in 3293.081 secondsDownside of this approach: it takes time. A LOT of time when you want to get all users for bruteforce.
Enumerating shares is relatively easy with a user
Use -S for retrieving a list of all shares
enum4linux -S -u 'saa' -p 'ChangeM3!N0w' 172.27.12.20
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr 23 09:07:19 2024
=========================================( Target Information )=========================================
Target ........... 172.27.12.20
RID Range ........ 500-550,1000-1050
Username ......... 'saa'
Password ......... 'ChangeM3!N0w'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 172.27.12.20 )============================
[E] Can't find workgroup/domain
===================================( Session Check on 172.27.12.20 )===================================
[+] Server 172.27.12.20 allows sessions using username 'saa', password 'ChangeM3!N0w'
================================( Getting domain SID for 172.27.12.20 )================================
Domain Name: TOPHACK
Domain Sid: S-1-5-21-3054250883-2342791404-4174618603
[+] Host is part of a domain (not a workgroup)
=================================( Share Enumeration on 172.27.12.20 )=================================
do_connect: Connection to 172.27.12.20 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 172.27.12.20
//172.27.12.20/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//172.27.12.20/C$ Mapping: DENIED Listing: N/A Writing: N/A
//172.27.12.20/Data Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_NO_SUCH_FILE listing \*
//172.27.12.20/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//172.27.12.20/NETLOGON Mapping: OK Listing: OK Writing: N/A
//172.27.12.20/SYSVOL Mapping: OK Listing: OK Writing: N/A
enum4linux complete on Tue Apr 23 09:07:33 2024Groups and memberships can help plotting an attack path
enum4linux -G -u 'saa' -p 'ChangeM3!N0w' 172.27.12.20
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr 23 09:41:07 2024
=========================================( Target Information )=========================================
Target ........... 172.27.12.20
RID Range ........ 500-550,1000-1050
Username ......... 'saa'
Password ......... 'ChangeM3!N0w'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 172.27.12.20 )============================
[E] Can't find workgroup/domain
===================================( Session Check on 172.27.12.20 )===================================
[+] Server 172.27.12.20 allows sessions using username 'saa', password 'ChangeM3!N0w'
================================( Getting domain SID for 172.27.12.20 )================================
Domain Name: TOPHACK
Domain Sid: S-1-5-21-3054250883-2342791404-4174618603
[+] Host is part of a domain (not a workgroup)
=======================================( Groups on 172.27.12.20 )=======================================
[+] Getting builtin groups:
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: TOPHACK\Domain Users
Group: Guests' (RID: 546) has member: TOPHACK\Guest
Group: Guests' (RID: 546) has member: TOPHACK\Domain Guests
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: IIS_IUSRS' (RID: 568) has member: NT AUTHORITY\IUSR
Group: Administrators' (RID: 544) has member: TOPHACK\Administrator
Group: Administrators' (RID: 544) has member: TOPHACK\Enterprise Admins
Group: Administrators' (RID: 544) has member: TOPHACK\Domain Admins
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: TOPHACK\Read-only Domain Controllers
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
[+] Getting domain group memberships:
Group: 'Domain Controllers' (RID: 516) has member: TOPHACK\TOPHACK-DC$
Group: 'Enterprise Admins' (RID: 519) has member: TOPHACK\Administrator
Group: 'Domain Computers' (RID: 515) has member: TOPHACK\DESKTOP-S47PQR4$
Group: 'Domain Computers' (RID: 515) has member: TOPHACK\WINPC1$
Group: 'Schema Admins' (RID: 518) has member: TOPHACK\Administrator
Group: 'Domain Guests' (RID: 514) has member: TOPHACK\Guest
Group: 'Group Policy Creator Owners' (RID: 520) has member: TOPHACK\Administrator
Group: 'Domain Admins' (RID: 512) has member: TOPHACK\Administrator
Group: 'Domain Admins' (RID: 512) has member: TOPHACK\sch
Group: 'Domain Users' (RID: 513) has member: TOPHACK\Administrator
Group: 'Domain Users' (RID: 513) has member: TOPHACK\krbtgt
Group: 'Domain Users' (RID: 513) has member: TOPHACK\aba
Group: 'Domain Users' (RID: 513) has member: TOPHACK\wes
Group: 'Domain Users' (RID: 513) has member: TOPHACK\sch
Group: 'Domain Users' (RID: 513) has member: TOPHACK\saa
Group: 'Domain Users' (RID: 513) has member: TOPHACK\ram
Group: 'Domain Users' (RID: 513) has member: TOPHACK\jeh
Group: 'Domain Users' (RID: 513) has member: TOPHACK\woh
Group: 'Domain Users' (RID: 513) has member: TOPHACK\florian_adm
enum4linux complete on Tue Apr 23 09:41:26 2024