This script downloads the list of users for the target system.
Install the Impacket Framework
samrdump.py [-h] [-csv] [-ts] [-debug] [-dc-ip ip address] [-target-ip ip address] [-port [destination port]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] target
Impacket v0.10.1.dev1+20220504.120002.d5097759 - Copyright 2022 SecureAuth Corporation This script downloads the list of users for the target system. positional arguments: target [[domain/]username[:password]@]<targetName or address> optional arguments: -h, --help show this help message and exit -csv Turn CSV output -ts Adds timestamp to every logging output -debug Turn DEBUG output ON connection: -dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it -port [destination port] Destination port to connect to SMB Server authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
$ samrdump.py offsec.nl/johndo-adm:[email protected] Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Retrieving endpoint list from 10.10.10.16 Found domain(s): . OFFSEC . Builtin [*] Looking up users in domain OFFSEC Found user: Administrator, uid = 500 Found user: Guest, uid = 501 Found user: krbtgt, uid = 502 Found user: johndo, uid = 1107 Found user: adm_johndo, uid = 1108 Found user: janedo, uid = 1110 Found user: tokio, uid = 1111 Found user: lisboa, uid = 1112 Found user: professor, uid = 1113 Found user: nairobi, uid = 1114 Found user: helsinki, uid = 1115 Administrator (500)/FullName: Administrator (500)/UserComment: Administrator (500)/PrimaryGroupId: 513 Administrator (500)/BadPasswordCount: 0 Administrator (500)/LogonCount: 24 Administrator (500)/PasswordLastSet: 2020-03-18 10:55:43.427441 Administrator (500)/PasswordDoesNotExpire: False Administrator (500)/AccountIsDisabled: False Administrator (500)/ScriptPath [...]