Users

WINDOWS

PS C:\> dsquery user

Checking User Property

(Property is ServicePrincipalName)

PS C:\> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

NET

net user /domain # List all users of the domain

net user <ACCOUNT_NAME> /domain # Get information about a user within the domain

net user %username% # Information about the current user

PowerView

Domain User Information

PS C:\> Get-DomainUser -Identity sol -Domain militech.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

Testing for Local Admin Access

PS C:\> Test-AdminAccess -ComputerName MILITECH-MS13

Finding Users With SPN Set

PS C:\> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

Users with no Password

PS C:\> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

SharpView

Domain User Information

PS C:\> .\SharpView.exe Get-DomainUser -Identity sol

LINUX

CrackMapExec

CME Domain User

sudo crackmapexec smb 13.13.13.13 -u sol -p PASSWORD123 --users
sudo crackmapexec smb 13.13.13.13 -u sol -p PASSWORD123 --loggedon-users # Logged on

RPCClient

User Enumeration

rpcclient -U "" -N 13.13.13.13 # Get RPC Console
rpcclient $> enumdomusers # Enum all users
rpcclient $> queryuser 0x371 # Enum Specifical User by it's RID

Windapsearch

[LINK]

Domain Admins

python3 windapsearch.py --dc-ip 13.13.13.13 -u sol@militech.local -p PASSWORD123 --da

Privileged Users

python3 windapsearch.py --dc-ip 13.13.13.13 -u sol@militech.local -p PASSWORD123 -PU