Skip to content

My Hacking Notes

Username Enumeration

My Hacking Notes

Home
OSINT
Network Scanning
Ports / Services
Port Forwarding and Tunnelling
Password Cracking
Password Cracking
- Hashcat
- Wordlists
Windows
Windows
- Workstations
  Workstations
  - Privilege Escalation
- Active Directory
  Active Directory
  - Methodology
  - Remote Execution Tools
  - PowerShell Commands
  - CMD Commands
  - Relay & Coercion
    Relay & Coercion
    
    Relay (ntlmrelayx)
    
    RPC Coercion
    
    Responder
    
    mitm6
    
    Insecure Name Resolution Protocols
    
    WPAD
    
    Exchange Coercion (PrivExchange)
  - Discovery & Audit
    Discovery & Audit
    
    SMB & RPC Enumeration
    
    SMB Shares & Data Hunting
    
    LDAP Checks
    
    BloodHound
    
    User Enumeration
    
    Password Spraying
  - Privilege Escalation
    Privilege Escalation
    
    ADCS Discovery
    
    ADCS - ESC 1
    
    ADCS - ESC 8
    
    Shadow Credentials
    
    BadSuccessor (dMSA Abuse)
    
    ZeroLogon
  - Credential Access
    Credential Access
    
    SAM/SECURITY/SYSTEM
    
    DCSync
    
    DPAPI
    
    AutoLogon
    
    GPP/SYSVOL Credential Leaks
  - Delegation
    Delegation
    
    Discovery
    
    Resource Based Constrained Delegation (RBCD)
    
    Unconstrained Delegation (KUD)
    
    Constrained Delegation (KCD)
  - Kerberos
    Kerberos
    
    Authentication Process
    
    S4U2self and S4U2Proxy
    
    Password / Hash -> TGT
    
    AS-REP Roast
    
    Kerberoast
    
    Ticket Forgery
    Ticket Forgery
    
    Golden Ticket
    
    Silver Ticket
- File Transfer
  File Transfer
  - Download to Windows
  - Upload from Windows
Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
- Discovery & Recon
  Discovery & Recon
  - Federated vs Managed
  - Username Enumeration Username Enumeration
    Table of contents
    
    Username List
    
    Username Scraping Tools
    
    CrossLinked
    
    Username Validation Tools
    
    Trevorspray
    
    Enumeration Methods
    
    OneDrive
    
    Azure Seamless SSO
    
    Teamfiltration
    
    Enumeration Methods / Flags
    
    Teams API
    
    GetCredential Type
    
    OneDrive
- Password Spraying
  Password Spraying
  - Tools
WiFi
WiFi
CTF Walkthroughs
CTF Walkthroughs
- Proving Grounds
  Proving Grounds
  - Cassios
  - Cobweb
  - Muddy
  - Forward

Username Enumeration¶

Gather potential usernames
Validate usernames

Username List¶

https://github.com/insidetrust/statistically-likely-usernames

Username Scraping Tools¶

CrossLinked¶

https://github.com/m8sec/CrossLinked

Linkedin username scraper
Credential-free

Username Validation Tools¶

Trevorspray¶

Enumerate valid users

trevorspray --recon <domain> -u <user_list>

Enumeration Methods¶

OneDrive¶

req/s: thread-limited; no server-side rate limiting (use --threads and optional --ssh/--proxy)
Compares 403 vs 404 when a user has initialized OneDrive
Credential-free
Can miss users who never launched OneDrive.
New hires, service accounts, etc.

Azure Seamless SSO¶

req/s: slower; subject to server throttling; only if tenant uses Seamless SSO
Credential-free

Teamfiltration¶

IP Rotation uses FireProx
- Requires AWS API Gateway.

Enumeration Methods / Flags¶

Teams API¶

Flag: --validate-teams
Request rate: ~300/s
Requires M365 account (Teams-enabled license, e.g., Business Basic), no MFA

GetCredential Type¶

Flag: --validate-msol
Request rate: ~20/s
Credential-free

OneDrive¶

Flag: --validate-onedrive
Request rate: ~300 req/s
Credential-free