139,593 - RPC

rpcclient -U '' IP -N

enumdomusers

rpcclient -U 'USER%PASS' IP

rpcclient -U 'USER%HASH' IP --pw-nt-hash

rpcclient -U '' IP -c "enumdomusers" -N | tr '[]' ' '| awk '{print $2}' > validUsers.txt

rpcclient -U 'USER%PASS' IP -c "enumdomusers" | tr '[]' ' '| awk '{print $2}' > validUsers.txt

Por kerberos:

nxc smb DC.DOMAIN -u 'USER' -p 'PASSWORD' -k --users

nxc smb DC.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k --users | awk '{print $5}' | grep -vE '\-|\[' > validUsers.txt

Lista de usuarios con descripción

querydispinfo

setuserinfo2 USER 23 'PASS'

impacket-lookupsid anonymous@domain.htb -target-ip IP -no-pass

impacket-lookupsid anonymous@domain.htb -target-ip IP -no-pass | grep SidTypeUser | tr '\\' ' ' | awk '{print $3}'