There are several ways that we can gather a target list of valid users:
By leveraging an SMB NULL session to retrieve a complete list of domain users from the domain controller
Utilizing an LDAP anonymous bind to query LDAP anonymously and pull down the domain user list
Using a tool such as Kerbrute to validate users utilizing a word list from a source such as the stastically-likely-usernames GitHub repo, or gathered by using a tool such as linkedin2username to create a list of potentially valid users
Using a set of credentials from a Linux or Windows attack system either provided by our client or obtained through another means such as LLMNR/NBT-NS response poisoning using Responder or even a successful password spray using a smaller wordlist
Tools such as windapsearch make this easier (though we should still understand how to create our own LDAP search filters). Here we can specify anonymous access by providing a blank username with the -u flag and the -U flag to tell the tool to retrieve just users.
Using windapsearch
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 2906 users:
cn: Guest
cn: Htb Student
userPrincipalName: htb-student@inlanefreight.local
cn: Annie Vazquez
userPrincipalName: avazquez@inlanefreight.local
cn: Paul Falcon
userPrincipalName: pfalcon@inlanefreight.local
cn: Fae Anthony
userPrincipalName: fanthony@inlanefreight.local
cn: Walter Dillard
userPrincipalName: wdillard@inlanefreight.local
<SNIP>