Making a target user list

Detailed User Enum

To mount a password spray, we need a list of valid domain usernames and/or password policy
Getting valid usernames:
- SMB NULL SESSION - list of domain users
- LDAP anonymous bind - pull domain user list
- Kerbrute - validate usernames from a wordlist
  - statistically-likely-usernames GitHub repo, or linkedin2username to create a list of potentially valid users
- set of creds - found through responder, or provided by the client, or a smaller password spray
Getting Password Policy - previous module
- If no password policy - "Jai Gajanan" password spray is the only option
Always keep a log of our password spraying activities, including, but not limited to:
- The accounts targeted
- Domain Controller used in the attack
- Time of the spray
- Date of the spray
- Password(s) attempted

If on an internal machine without domain creds.
If you have credentials for a domain user or SYSTEM access on a Windows host, you can easily query AD for this information.
Tools - enum4linux, rpcclient, crackmapexec

When LDAP Anonymous Bind is allowed, we can use windapsearch and ldapsearch.

ldapsearch -H 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "

./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
- -u "" - anonymous login
- -U - get a list of users

get the jsmith.txt wordlist from here - https://github.com/insidetrust/statistically-likely-usernames
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

impacket-GetNPUsers DANTE.ADMIN/ -dc-ip 172.16.2.5 -no-pass -usersfile old-emps.txt