Users
WINDOWS
User Search
PS C:\> dsquery user
Checking User Property
(Property is ServicePrincipalName)
PS C:\> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
NET
NET
net user /domain # List all users of the domain
net user <ACCOUNT_NAME> /domain # Get information about a user within the domain
net user %username% # Information about the current user
PowerView
Domain User Information
PS C:\> Get-DomainUser -Identity sol -Domain militech.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Testing for Local Admin Access
PS C:\> Test-AdminAccess -ComputerName MILITECH-MS13
Finding Users With SPN Set
PS C:\> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
Users with no Password
PS C:\> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
SharpView
Domain User Information
PS C:\> .\SharpView.exe Get-DomainUser -Identity sol
LINUX
CrackMapExec
CME Domain User
sudo crackmapexec smb 13.13.13.13 -u sol -p PASSWORD123 --users
sudo crackmapexec smb 13.13.13.13 -u sol -p PASSWORD123 --loggedon-users # Logged on
RPCClient
User Enumeration
rpcclient -U "" -N 13.13.13.13 # Get RPC Console
rpcclient $> enumdomusers # Enum all users
rpcclient $> queryuser 0x371 # Enum Specifical User by it's RID
Windapsearch
Domain Admins
python3 windapsearch.py --dc-ip 13.13.13.13 -u sol@militech.local -p PASSWORD123 --da
Privileged Users
python3 windapsearch.py --dc-ip 13.13.13.13 -u sol@militech.local -p PASSWORD123 -PU