search

usersUsername Enumeration

Username enumeration is an information-gathering technique where an attacker determines which usernames or accounts are valid in a system without knowing their passwords.

It is a pre-attack (reconnaissance) technique, not an exploit by itself, but it significantly reduces the effort of later attacks such as password spraying, brute force, phishing, or credential stuffing.

Let's imagine that we already have a list of different usernames, and we need to find those that are actually present:

Kerberos is one of the most common vectors for username enumeration in Active Directory environments.

The Key Distribution Center (KDC) responds differently when:

  • a Kerberos principal exists

  • a Kerberos principal does not exist

We can use Kerbrutearrow-up-right to validate usernames via Kerberos:

β”Œβ”€β”€(hacker@attack-machine)-[~/]
└─$ kerbrute userenum --dc 10.82.131.252 -d spookysec.local userlist.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/17/25 - Ronnie Flathers @ropnop

2025/12/17 18:06:28 >  Using KDC(s):
2025/12/17 18:06:28 >   10.82.131.252:88

2025/12/17 18:06:28 >  [+] VALID USERNAME:       [email protected]
2025/12/17 18:06:31 >  [+] VALID USERNAME:       [email protected]
2025/12/17 18:06:34 >  [+] VALID USERNAME:       [email protected]
2025/12/17 18:06:35 >  [+] VALID USERNAME:       [email protected]
2025/12/17 18:06:51 >  [+] VALID USERNAME:       [email protected]
2025/12/17 18:06:59 >  [+] VALID USERNAME:       [email protected]
2025/12/17 18:07:15 >  [+] VALID USERNAME:       [email protected]
2025/12/17 18:07:22 >  [+] VALID USERNAME:       [email protected]

We can get users from SMB with NetExecarrow-up-right:

This vector does not always work and is frequently restricted in hardened environments.

Enumerate users with RPC:

hashtag
Native Windows Commands:

Run net user /domain to list all domain users with basic details like usernames.

PowerShell:

Get-ADUser -Filter * -Properties * | Select Name, SamAccountName, Enabled fetches all enabled users with key attributes (requires ActiveDirectory module).

hashtag
OpSec Note:

Username enumeration is not stealthy.

Although individual requests may be legitimate, mass enumeration creates clear behavioral anomalies:

  • repeated authentication failures

  • sequential username testing

  • Kerberos AS-REQ anomalies

  • unusual SMB / RPC enumeration patterns

hashtag
Why Username Enumeration Is Dangerous:

  • efficient password spraying

  • targeted phishing campaigns

  • account lockout abuse (DoS)

  • Kerberos-based credential attacks

  • faster lateral movement

PreviousEnumerationNextPost-Exploitation

Last updated