Skip to content

Username Enumeration

LDAP

  • Usually requires authentication, not always.
  • filter disabled/stale.
  • sAMAccountName/UPN

RID/SAMR null session (if permitted)

rpcclient -U '' -N <host> -c 'lsaquery'

rpcclient -U '' -N <host> -c 'lookupsids <domain-sid>-500-55000'

Brute Force

Kerberos user enumeration
kerbrute userenum -d <domain> --dc <dc-ip> <userlist>
- https://github.com/insidetrust/statistically-likely-usernames

  • Single-attempt portal error-diff (OWA/ADFS/RDWeb/etc.):
    • Submit one login per candidate with a known-bad password.
    • Compare responses for # “user not found” vs “wrong password”: error text, HTTP status/redirect, content length, or timing.
    • If responses are generic or trigger lockout/MFA, stop and skip this method.

OSINT / File Scraping

Find publicly accessible files via search engines and search through metadata. - See File Scraping