Domain User Enumeration

Untitled-1.jpg

Everyone loves being able to speed up their work with custom tools, but the clear problem is that computers are a bit too fussy about everything being perfect and exact. One very specific place where this problem comes up is when working with users on a domain. No matter how you try to get a list of users, it’s going to be packaged with all sorts of small things like inconsistent spacing and visual details that offer no real value. This isn’t a real problem because we are just fine distinguishing between the fluff and the real data we need. While I am sure that there is a startup somewhere that is probably boasting how easy it is to get their “AI” to do the same, I doubt that you want to create Skynet every time you need to parse the output of a command.

The best example of where a username list is useful is in this simple password spraying attack. All it needs is a small list of common passwords, and a list of domain users. This stops being so simple when you have a lot more users than you want to make a list for. Simply put, when faced with hundreds or thousands of users in a domain, it’s not usually the best idea to manually add them to a list so you can run this attack. With two commands (one if you want to just combine them into one nice script), you can sit back and let people’s bad judgement in passwords do your work for you. Relaxing!

A few commands and one liners for generating the username list that seemed to work at first would break or become useless at higher numbers of users on the domain. To address these problems, I wrote up a short script that simply takes the output of “net users /domain” and puts the usernames into a text file, one name per line. We have had a lot of success using this script in situations where we have had to parse thousands of names and it holds up fine and gets through it fast. Feel free to use it to save you a few minutes sometime in the future: https://github.com/duckingtoniii/Powershell-Domain-User-Enumeration