AllTheUsers!




Introduction

Depending on the type of engagement, user enumeration may be required at some point. The methods discussed within this post will be quite loud and probably not useful for anything sneaky. But, nevertheless, they work and can help move from an unauthenticated position, to an authenticated one.

So, the areas covered will be:

I will try to cover common tools and build some tools for each method.

Null Sessions and RPC



For me, theres an obvious tool here. CrackMapExec. This tool does a lot, but I'm only going to reference one tiny function.

The command:

cme smb 192.168.50.53 -u '' -p '' --users

A snippet of the output:

                                
SMB         10.10.11.53     445    DC-WIN12         [+] Enumerated domain user(s)
SMB         10.10.11.53     445    DC-WIN12         lab.local\Administrator                  badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Guest                          badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\krbtgt                         badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\standard.user                  badpwdcount: 0 baddpwdtime: 2018-10-18 14:56:58
SMB         10.10.11.53     445    DC-WIN12         lab.local\Amber.Quinn                    badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Ebonie.Brown                   badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Devorah.Fowler                 badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Demarcus.Jordan                badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Darwin.Le                      badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Remedios.Miller                badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Kristopher.Maynard             badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Brice.Flores                   badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Mina.Turner                    badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Karie.Newman                   badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Olimpia.Curtis                 badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Laquanda.Humphrey              badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Jacqui.Lester                  badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Rosann.Kirk                    badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Nathanial.Campos               badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Renita.Bass                    badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Mao.Pollard                    badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Oliva.Waters                   badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
SMB         10.10.11.53     445    DC-WIN12         lab.local\Alton.Boyer                    badpwdcount: 0 baddpwdtime: 1600-12-31 23:58:45
                            
                            

Bare in mind, you can do this with creds, just replace the apostrophies with said creds.

An honourable mention is the --rid-brute flag. This will simply brute-force the RIDs.

SNMP

SNMP user enumeration is the newest method I have learnt and luckily SNMP is a simple protocol. It uses MIBs to represent specific kinds of information and there is one specifically that is required for this technique.

The MIB, 1.3.6.1.4.1.77.1.2.25, is the LanManager MIB and is the table of active user accounts on this server.

Requesting all the MIBs is easy enough and can be done with snmpwalk -c public -v1 192.168.50.53:

                                
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: Intel64 Family 6 Model 158 Stepping 9 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 9600 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.3
iso.3.6.1.2.1.1.3.0 = Timeticks: (664615) 1:50:46.15
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "farfaraway.swamp.onion"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 22
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3
iso.3.6.1.2.1.2.2.1.1.4 = INTEGER: 4
iso.3.6.1.2.1.2.2.1.1.5 = INTEGER: 5
iso.3.6.1.2.1.2.2.1.1.6 = INTEGER: 6
iso.3.6.1.2.1.2.2.1.1.7 = INTEGER: 7

The output from this command can be a lot, so the above is just a snippet of it. With snmpwalk, a specific MIB can be requested: snmpwalk -c public -v1 192.168.50.53 1.3.6.1.4.1.77.1.2.25

                                
iso.3.6.1.4.1.77.1.2.25.1.1.4.70.105.102.105 = STRING: "Fifi"
iso.3.6.1.4.1.77.1.2.25.1.1.5.68.111.114.105.115 = STRING: "Doris"
iso.3.6.1.4.1.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest"
iso.3.6.1.4.1.77.1.2.25.1.1.5.82.97.111.117.108 = STRING: "Raoul"
iso.3.6.1.4.1.77.1.2.25.1.1.5.83.117.103.97.114 = STRING: "Sugar"
iso.3.6.1.4.1.77.1.2.25.1.1.5.83.117.122.105.101 = STRING: "Suzie"
iso.3.6.1.4.1.77.1.2.25.1.1.5.115.104.114.101.107 = STRING: "shrek"
iso.3.6.1.4.1.77.1.2.25.1.1.6.66.114.111.103.97.110 = STRING: "Brogan"
iso.3.6.1.4.1.77.1.2.25.1.1.6.67.111.111.107.105.101 = STRING: "Cookie"
iso.3.6.1.4.1.77.1.2.25.1.1.6.68.111.110.107.101.121 = STRING: "Donkey"
iso.3.6.1.4.1.77.1.2.25.1.1.6.68.114.97.103.111.110 = STRING: "Dragon"
iso.3.6.1.4.1.77.1.2.25.1.1.6.73.109.101.108.100.97 = STRING: "Imelda"
iso.3.6.1.4.1.77.1.2.25.1.1.6.77.101.114.108.105.110 = STRING: "Merlin"
iso.3.6.1.4.1.77.1.2.25.1.1.6.107.114.98.116.103.116 = STRING: "krbtgt"
iso.3.6.1.4.1.77.1.2.25.1.1.7.67.121.99.108.111.112.115 = STRING: "Cyclops"
iso.3.6.1.4.1.77.1.2.25.1.1.7.87.105.116.99.104.101.115 = STRING: "Witches"
iso.3.6.1.4.1.77.1.2.25.1.1.8.68.114.111.110.107.101.121.115 = STRING: "Dronkeys"
iso.3.6.1.4.1.77.1.2.25.1.1.8.71.114.101.116.99.104.101.100 = STRING: "Gretched"
iso.3.6.1.4.1.77.1.2.25.1.1.8.77.114.46.77.111.111.114.101 = STRING: "Mr.Moore"
iso.3.6.1.4.1.77.1.2.25.1.1.8.82.97.112.117.110.122.101.108 = STRING: "Rapunzel"
iso.3.6.1.4.1.77.1.2.25.1.1.9.70.117.114.110.105.116.117.114.101 = STRING: "Furniture"
iso.3.6.1.4.1.77.1.2.25.1.1.9.71.117.105.110.101.118.101.114.101 = STRING: "Guinevere"

A small bash script for better output:

                                
#!/bin/bash

MIB='1.3.6.1.4.1.77.1.2.25'
VERSION='v1'
HOST=$1
COMMUNITY=$2

snmpwalk -c $COMMUNITY -$VERSION $HOST $MIB|awk -F 'STRING: ' {'print $2'}|sed 's/"//g'

Running the script gives:

                                
Fifi
Doris
Guest
Raoul
Sugar
Suzie
shrek
Brogan
Cookie
Donkey
Dragon
Imelda
Merlin
krbtgt
Cyclops
Witches
Dronkeys
Gretched
Mr.Moore
Rapunzel


OSINT

NOTE: I wrote this post before I built Linky. Naturally, I'd recommend using that. I wrote about it here, but the following will still also work. Maybe.

Open Source Intelligence is a good way to get a list of usernames before beginning an internal assessment. There a few tools to do this: theHarvester, PhantomBuster API and LinkedInt. My personal peference is the PhantomBuster API.

Once its ran, it can be saved as a JSON or CSV file:

                                
url,name,firstName,lastName,job,location,query,category,timestamp,currentJob,pastJob,error
https://www.linkedin.com/in/michaelranaldo/,Michael Ranaldo,Michael,Ranaldo,Security Consultant at MDSec,United Kingdom,mdsec,People,2019-05-05T18:54:56.424Z,,,
https://www.linkedin.com/in/brandon-mcgrath/,Brandon McGrath,Brandon,McGrath,Security Consultant at MDSec,"Stockport, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,,,
https://www.linkedin.com/in/marcuspinto1/,Marcus Pinto,Marcus,Pinto,"Owner, MDSec","Sutton, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,Current: Director at MDSec,,
https://www.linkedin.com/in/dominicchell/,Dominic Chell,Dominic,Chell,Owner at MDSec,"Stockport, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,Summary: ...) - Founding director of MDSec - Subject matter expert...,,
https://www.linkedin.com/in/mdsec-glynn77/,Richard Glynn,Richard,Glynn,Business Development Consultant at MDSec,"Manchester, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,,,
https://www.linkedin.com/in/ryan-chell-a667527/,Ryan Chell,Ryan,Chell,Director of Business Development at MDSec,"Stockport, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,,,
https://www.linkedin.com/in/paul-dalton-671b783a/,Paul Dalton,Paul,Dalton,Security Consultant at MDSec,"Manchester, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,,,
https://www.linkedin.com/in/amanda-biggs-5aa832/,Amanda Biggs,Amanda,Biggs,Client Relationship Manager at MDSec,United Kingdom,mdsec,People,2019-05-05T18:54:56.424Z,,,
https://www.linkedin.com/in/kyle-trevena-184474103/,Kyle Trevena,Kyle,Trevena,Internal Account Manager at MDSec,"Stockport, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,"Summary: I'm currently working for MDSec, as an Internal Account Manager. I've been with MDSec over three...",,
https://www.linkedin.com/in/james-williams-0bb23140/,James Williams,James,Williams,Security Consultant @ MDSec,"Chester, United Kingdom",mdsec,People,2019-05-05T18:54:56.424Z,Current: Security Consultant at MDSec,,
https://www.linkedin.com/in/adam-chester-b590833b/,Adam Chester,Adam,Chester,Service Lead - Red Team and Infrastructure at MDSec,"Warrington, United Kingdom",mdsec,People,2019-05-05T18:55:00.800Z,,Past: Security Consultant at MDSec,

The above is easy to parse and can provide a pretty good list of names. This is the only solution that doesn't come in the domain defined format. This script can be used to generate full names into several kinds of username schemes: python3 useyusers.py -i users.txt -s9:

                                
adam.chester
amanda.biggs
brandon.mcgrath
dominic.chell
james.williams
kyle.trevena
marcus.pinto
michael.ranaldo
paul.dalton
richard.glynn
ryan.chell
a.chester
a.biggs
b.mcgrath
d.chell
j.williams
k.trevena
m.pinto
m.ranaldo
p.dalton
r.glynn

With this more defined list of users, they need to be validated and this is possible via Kerberos or Office 365.

This example will use Kerberos, but see this post for the O365 explanation.

So, Kerberos: nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='swamp.onion',userdb=users.txt 192.168.0.1

                                
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-05 20:24 BST
Nmap scan report for farfaraway.swamp.onion (192.168.50.53)
Host is up (0.00039s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     Pinocchio@swamp.onion
|     Gretched@swamp.onion
|     Jack.and.Jill@swamp.onion
|     Cinderella@swamp.onion
|     The.Pied.Piper@swamp.onion
|     Raoul@swamp.onion
|     Dronkeys@swamp.onion
|     Sleeping.Beauty@swamp.onion
|     Prince.Charming@swamp.onion
|     Queen.Lillian@swamp.onion
|     Humpty.Dumpty@swamp.onion
|     Three.Blind.Mice@swamp.onion
|     Monsieur.Robin.Hood@swamp.onion
|     The.Black.Knight@swamp.onion
|     Puss.in.Boots@swamp.onion
|     Princess.Fiona@swamp.onion
|     Fairy.Godmother@swamp.onion
|     Fifi@swamp.onion
|     Rapunzel@swamp.onion
|     Furniture@swamp.onion
|     Doris@swamp.onion
|     Donkey@swamp.onion
|     Headless.Horseman@swamp.onion
|     Witches@swamp.onion
|     Cyclops@swamp.onion
|     Great.Terror@swamp.onion
|     Kitty.Softpaws@swamp.onion
|     Captain.Hook@swamp.onion
|     Cookie@swamp.onion
|     Sugar@swamp.onion
|     Imelda@swamp.onion
|     King.Harold@swamp.onion
|     The.Puppet.Master@swamp.onion
|     The.Evil.Queen@swamp.onion
|     Snow.White@swamp.onion
|     Dragon@swamp.onion
|     Lord.Farquaad@swamp.onion
|     Guinevere@swamp.onion
|     Sir.Lancelot@swamp.onion
|     The.Evil.Trees@swamp.onion
|_    Three.Little.Pigs@swamp.onion

Easy.

SMB

Another quick way to enumerate users is with SMB.

This script is available within the Nmap NSE scripts: rw-r--r-- 1 root root 12531 Jan 9 15:01 smb-enum-users.nse

Annoyingly, I couldnt get this one to work within my lab environment. But here is the command:

nmap --script smb-enum-users.nse -p445 192.168.0.1

In the output below, you can see the SAMR pipe return the dreaded NT_STATUS_ACCESS_DENIED error.

                                
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack ttl 128
MAC Address: 08:00:27:9B:05:0F (Oracle VirtualBox virtual NIC)

Host script results:
| smb-enum-users: 
|   ERROR: Couldn't enumerate users
|   ERROR: SAMR returned NT_STATUS_ACCESS_DENIED (samr.connect4)
|_  ERROR: LSA returned NT_STATUS_INVALID_PARAMETER (lsa.lookupnames2)
Final times for host: srtt: 277 rttvar: 3825  to: 100000


Conclusion

These were a few of the user enumeration techniques I'm aware of. There are several more, but I havent got around to building the lab environments just yet. Someday, maybe.