InfoSec LAB

Active_Username_Enumeration

Created: 2 min read

Username Enumeration

Now that I have a valid set of domain credential extracted from the Groups.xml file found in the //ACTIVE.HTB/Replication share, I will first get the domain users

impacket-lookupsid

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ impacket-lookupsid active.htb/SVC_TGS:GPPstillStandingStrong2k18@$IP             
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Brute forcing SIDs at 10.10.10.100
[*] StringBinding ncacn_np:10.10.10.100[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-405608879-3187717380-1996298813
498: ACTIVE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: ACTIVE\Administrator (SidTypeUser)
501: ACTIVE\Guest (SidTypeUser)
502: ACTIVE\krbtgt (SidTypeUser)
512: ACTIVE\Domain Admins (SidTypeGroup)
513: ACTIVE\Domain Users (SidTypeGroup)
514: ACTIVE\Domain Guests (SidTypeGroup)
515: ACTIVE\Domain Computers (SidTypeGroup)
516: ACTIVE\Domain Controllers (SidTypeGroup)
517: ACTIVE\Cert Publishers (SidTypeAlias)
518: ACTIVE\Schema Admins (SidTypeGroup)
519: ACTIVE\Enterprise Admins (SidTypeGroup)
520: ACTIVE\Group Policy Creator Owners (SidTypeGroup)
521: ACTIVE\Read-only Domain Controllers (SidTypeGroup)
553: ACTIVE\RAS and IAS Servers (SidTypeAlias)
571: ACTIVE\Allowed RODC Password Replication Group (SidTypeAlias)
572: ACTIVE\Denied RODC Password Replication Group (SidTypeAlias)
1000: ACTIVE\DC$ (SidTypeUser)
1101: ACTIVE\DnsAdmins (SidTypeAlias)
1102: ACTIVE\DnsUpdateProxy (SidTypeGroup)
1103: ACTIVE\SVC_TGS (SidTypeUser)

impacket-lookupsid is a great tool for enumerating users. It uses a set of RPC protocols over SMB for operation. It could be very noisy.

impacket-GetADUsers

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ impacket-GetADUsers 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -all -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Querying 10.10.10.100 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 21:06:40.351723  2023-01-31 09:41:33.907718 
Guest                                                 <never>              <never>             
krbtgt                                                2018-07-18 20:50:36.972031  <never>             
SVC_TGS                                               2018-07-18 22:14:38.402764  2023-01-31 11:14:44.395938

impacket-GetADUsers uses LDAP to enumerate domain users and it’s much more quiet compared to impacket-lookupsid

Interactive Graph View

Backlinks