# Making a Target User List If you are on an internal machine but don’t have valid domain credentials, you can look for SMB NULL sessions or LDAP anonymous binds on Domain Controllers. Either of these will allow you to obtain an accurate list of all users within Active Directory and the password policy. If you already have credentials for a domain user or `SYSTEM` access on a Windows host, then you can easily query Active Directory for this information. It’s possible to do this using the SYSTEM account because it can `impersonate` the computer. A computer object is treated as a domain user account (with some differences, such as authenticating across forest trusts). If you don’t have a valid domain account, and SMB NULL sessions and LDAP anonymous binds are not possible, you can create a user list using external resources such as email harvesting and LinkedIn. This user list will not be as complete, but it may be enough to provide you with access to Active Directory. ``` enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" ``` ``` rpcclient -U "" -N 172.16.5.5 rpcclient $> enumdomusers ``` ``` nxc smb 172.16.5.5 --users ``` ``` ldapsearch -h 172.16.5.5 -x -b "DC=DOMAIN,DC=COM" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" " ``` ``` ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U ``` ``` kerbrute userenum -d domain.com --dc 172.16.5.5 /opt/jsmith.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/active-directory/making-a-target-user-list.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.